"""Flask app that serves dashboard.html behind a session-based login form. Used in two modes: - Local development: run `python web.py` and visit http://localhost:5000. - Production behind Cloudflare Access: this login form remains as defense-in-depth; edge auth (Cloudflare Access with Google SSO) is the primary gate. Auth credentials come from .env: DASHBOARD_USERNAME (default: tribune) DASHBOARD_PASSWORD (required) FLASK_SECRET_KEY (optional; auto-generated per process if not set, which logs out everyone on every restart — set it in .env for stable sessions) """ import hmac import os import secrets from datetime import timedelta from functools import wraps from pathlib import Path from dotenv import load_dotenv from flask import ( Flask, abort, redirect, render_template_string, request, send_file, session, url_for, ) load_dotenv() DASHBOARD_PATH = Path(os.environ.get("DASHBOARD_PATH", "dashboard.html")) USERNAME = os.environ.get("DASHBOARD_USERNAME", "tribune") PASSWORD = os.environ.get("DASHBOARD_PASSWORD") if not PASSWORD: raise SystemExit( "DASHBOARD_PASSWORD is not set in .env. " "Add a line like `DASHBOARD_PASSWORD=` and re-run." ) app = Flask(__name__) app.secret_key = os.environ.get("FLASK_SECRET_KEY") or secrets.token_hex(32) app.permanent_session_lifetime = timedelta(days=30) def login_required(view): @wraps(view) def wrapped(*args, **kwargs): if not session.get("logged_in"): return redirect(url_for("login", next=request.path)) return view(*args, **kwargs) return wrapped @app.route("/login", methods=["GET", "POST"]) def login(): error = None if request.method == "POST": u = request.form.get("username", "") p = request.form.get("password", "") if hmac.compare_digest(u, USERNAME) and hmac.compare_digest(p, PASSWORD): session["logged_in"] = True session.permanent = True return redirect(request.args.get("next") or url_for("index")) error = "Invalid username or password." elif session.get("logged_in"): return redirect(url_for("index")) return render_template_string(LOGIN_TEMPLATE, error=error) @app.route("/logout") def logout(): session.clear() return redirect(url_for("login")) @app.route("/") @login_required def index(): if not DASHBOARD_PATH.exists(): abort( 503, description=( "dashboard.html has not been generated yet. " "Run `python run.py` first." ), ) return send_file(DASHBOARD_PATH, mimetype="text/html") @app.route("/healthz") def healthz(): return ("ok", 200) if DASHBOARD_PATH.exists() else ("dashboard missing", 503) LOGIN_TEMPLATE = """ Sign in - Funnel Tracker

Funnel Tracker

Sign in to view the dashboard.
{% if error %}
{{ error }}
{% endif %}
""" if __name__ == "__main__": port = int(os.environ.get("PORT", 5000)) app.run(host="0.0.0.0", port=port, debug=False)