feat: Admin authentication and dynamic OAuth URLs (#6)

* feat: Add admin authentication and dynamic OAuth URLs

SECURITY: Previously the admin dashboard was completely open - anyone
with the URL could access health data. This commit adds proper auth.

## Changes

### Authentication System
- Add AdminUser model with Argon2 password hashing
- Server-side session management (24hr expiry)
- First-run setup flow: create admin account before accessing dashboard
- Login/logout functionality with session cookies

### OAuth Fix
- Dynamic redirect_uri based on BASE_URL config or request headers
- No more hardcoded localhost:8000 URLs
- Works correctly behind reverse proxies (Coolify, Traefik, etc.)

### New Files
- src/polar_flow_server/admin/auth.py - Authentication logic
- src/polar_flow_server/core/password.py - Argon2 password hashing
- src/polar_flow_server/models/admin_user.py - AdminUser model
- templates/admin/login.html - Login form
- templates/admin/setup_account.html - First-run admin creation

### Flow
1. /admin → No admin exists? → /admin/setup/account
2. /admin → Not logged in? → /admin/login
3. /admin → No OAuth? → /admin/setup (with dynamic callback URL)
4. /admin → All good → /admin/dashboard

### Config
- BASE_URL: Set for production deployments
- SESSION_SECRET: Auto-generated if not set

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Address security review findings

- Add auth checks to all chart/export endpoints
- Add CSRF protection middleware with token validation
- Configure HTMX to include CSRF tokens in requests
- Fix deprecated datetime.utcnow() -> datetime.now(UTC)
- Improve email validation with proper regex pattern
- Fix email existence leak (generic "Invalid credentials" message)
- Change logout from GET to POST with CSRF protection
- Add index on is_active column in migration
- Fix bcrypt->Argon2 in docstring
- Fix SQLAlchemy session expire_on_commit for async context
- Replace pool_pre_ping with pool_recycle for greenlet compatibility

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: Fix import order

* fix: Use cookie-based CSRF token retrieval for mypy compatibility

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: StuMason

CLAUDE.md

@@ -0,0 +1,124 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Self-hosted health analytics server for Polar devices. Syncs data from Polar AccessLink API (9+ endpoints) to PostgreSQL and provides an HTMX-powered admin dashboard plus REST API.
+
+## Development Commands
+
+```bash
+# Install dependencies
+uv sync --all-extras
+
+# Start PostgreSQL (required for local development)
+docker-compose up -d postgres
+
+# Run server with hot reload
+uv run uvicorn polar_flow_server.app:app --reload
+
+# Run tests
+uv run pytest
+
+# Run single test file
+uv run pytest tests/test_api.py
+
+# Run single test function
+uv run pytest tests/test_api.py::test_health_check -v
+
+# Type check
+uv run mypy src/polar_flow_server
+
+# Lint
+uv run ruff check src/
+
+# Lint with auto-fix
+uv run ruff check src/ --fix
+```
+
+## Architecture
+
+### Stack
+- **Litestar** - Async web framework (not FastAPI)
+- **SQLAlchemy 2.0** - Async ORM with declarative models
+- **PostgreSQL** - Primary database (asyncpg driver)
+- **Alembic** - Database migrations (auto-run on container startup)
+- **polar-flow SDK** - Polar AccessLink API client
+- **HTMX + Tailwind** - Admin UI (server-rendered templates)
+
+### Source Layout (`src/polar_flow_server/`)
+
+```
+app.py              # Litestar application factory
+routes.py           # Root route (redirects to admin)
+core/
+  config.py         # Settings via pydantic-settings (reads .env)
+  database.py       # SQLAlchemy async engine/session
+  auth.py           # API key authentication guard
+  security.py       # Token encryption (Fernet)
+models/             # SQLAlchemy ORM models
+  base.py           # Base class, TimestampMixin, UserScopedMixin
+  user.py           # Polar user with encrypted tokens
+  sleep.py, activity.py, exercise.py, etc.
+transformers/       # SDK model -> DB model mappers
+  sleep.py, activity.py, etc.
+services/
+  sync.py           # SyncService - orchestrates Polar API sync
+api/
+  health.py         # /health endpoint
+  sleep.py          # /users/{user_id}/sleep endpoint
+  data.py           # All other data endpoints (activity, recharge, etc.)
+  sync.py           # Sync trigger endpoints
+admin/
+  routes.py         # Admin dashboard, OAuth flow, settings
+  auth.py           # Admin user authentication (session-based)
+templates/          # Jinja2 templates for admin UI
+```
+
+### Key Patterns
+
+**Multi-tenancy**: All data tables include `user_id` column via `UserScopedMixin`. Works for both self-hosted (one user) and SaaS (many users).
+
+**Transformers**: Each Polar SDK model has a corresponding transformer that maps to database model. Located in `transformers/` with consistent interface:
+```python
+class SleepTransformer:
+    @staticmethod
+    def transform(sdk_model, user_id: str) -> dict:
+        # Returns dict for SQLAlchemy upsert
+```
+
+**Sync Service** (`services/sync.py`): Single entry point for syncing all data types. Uses PostgreSQL upsert (ON CONFLICT DO UPDATE) for idempotent syncs.
+
+**Admin Auth**: Session-based authentication for admin panel (separate from API key auth). First-run flow: setup account -> OAuth credentials -> connect Polar.
+
+**API Auth**: Optional API key via `X-API-Key` header. Controlled by `API_KEY` env var. If not set, data endpoints are open.
+
+### Database
+
+- Migrations in `alembic/versions/`
+- Create migration: `uv run alembic revision --autogenerate -m "description"`
+- Apply migrations: `uv run alembic upgrade head`
+- Migrations run automatically in Docker via `docker-entrypoint.sh`
+
+### Configuration
+
+Key environment variables (see `.env.example`):
+- `DATABASE_URL` - PostgreSQL connection string
+- `DEPLOYMENT_MODE` - `self_hosted` (default) or `saas`
+- `API_KEY` - Optional API authentication
+- `SYNC_DAYS_LOOKBACK` - Days of historical data to sync (default 30)
+
+Secrets auto-generate in self-hosted mode and persist to `~/.polar-flow/`:
+- `encryption.key` - For Polar token encryption
+- `session.key` - For admin session cookies
+
+### Testing
+
+Tests use `pytest-asyncio` with auto mode. Test client:
+```python
+from litestar.testing import AsyncTestClient
+from polar_flow_server.app import create_app
+
+client = AsyncTestClient(app=create_app())
+```

alembic/env.py

@@ -20,6 +20,7 @@
     ECG,
     Activity,
     ActivitySamples,
+    AdminUser,
     APIKey,
     AppSettings,
     BodyTemperature,

alembic/versions/b2c3d4e5f678_add_admin_users_table.py

@@ -0,0 +1,49 @@
+"""Add admin_users table for dashboard auth.
+
+Revision ID: b2c3d4e5f678
+Revises: 94e67d473306
+Create Date: 2025-01-12
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "b2c3d4e5f678"
+down_revision: str | None = "94e67d473306"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    """Create admin_users table."""
+    op.create_table(
+        "admin_users",
+        sa.Column("id", sa.String(36), primary_key=True),
+        sa.Column("email", sa.String(255), nullable=False, unique=True, index=True),
+        sa.Column("password_hash", sa.String(255), nullable=False),
+        sa.Column("name", sa.String(255), nullable=True),
+        sa.Column("is_active", sa.Boolean(), nullable=False, default=True, index=True),
+        sa.Column("last_login_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.func.now(),
+            onupdate=sa.func.now(),
+        ),
+    )
+
+
+def downgrade() -> None:
+    """Drop admin_users table."""
+    op.drop_table("admin_users")

src/polar_flow_server/admin/auth.py

@@ -0,0 +1,185 @@
+"""Admin authentication for dashboard access.
+
+Security Model:
+- Admin users stored in database with Argon2 hashed passwords
+- Server-side sessions (not JWT) for simplicity and security
+- Sessions stored in memory (use Redis for multi-instance deployments)
+- Session cookie is HTTP-only and secure in production
+"""
+
+from datetime import UTC, datetime
+from typing import Any
+
+from litestar.connection import ASGIConnection
+from litestar.exceptions import NotAuthorizedException
+from litestar.handlers import BaseRouteHandler
+from litestar.response import Redirect
+from litestar.status_codes import HTTP_303_SEE_OTHER
+from sqlalchemy import func, select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from polar_flow_server.core.password import hash_password, verify_password
+from polar_flow_server.models.admin_user import AdminUser
+
+
+async def admin_user_exists(session: AsyncSession) -> bool:
+    """Check if any admin user exists in the database.
+
+    Args:
+        session: Database session
+
+    Returns:
+        True if at least one admin user exists
+    """
+    result = await session.execute(select(func.count(AdminUser.id)))
+    count = result.scalar() or 0
+    return count > 0
+
+
+async def get_admin_by_email(email: str, session: AsyncSession) -> AdminUser | None:
+    """Get admin user by email.
+
+    Args:
+        email: Email address to look up
+        session: Database session
+
+    Returns:
+        AdminUser if found, None otherwise
+    """
+    result = await session.execute(
+        select(AdminUser).where(AdminUser.email == email, AdminUser.is_active == True)  # noqa: E712
+    )
+    return result.scalar_one_or_none()
+
+
+async def authenticate_admin(email: str, password: str, session: AsyncSession) -> AdminUser | None:
+    """Authenticate admin user with email and password.
+
+    Uses constant-time comparison via Argon2 to prevent timing attacks.
+
+    Args:
+        email: Admin email
+        password: Plain text password
+        session: Database session
+
+    Returns:
+        AdminUser if authentication successful, None otherwise
+    """
+    admin = await get_admin_by_email(email, session)
+    if not admin:
+        # Still hash something to prevent timing attacks
+        hash_password("dummy_password_to_prevent_timing_attack")
+        return None
+
+    # Access password_hash while in async context to avoid lazy loading issues
+    stored_hash = admin.password_hash
+
+    if not verify_password(password, stored_hash):
+        return None
+
+    # Update last login time
+    admin.last_login_at = datetime.now(UTC)
+    await session.commit()
+
+    return admin
+
+
+async def create_admin_user(
+    email: str,
+    password: str,
+    session: AsyncSession,
+    name: str | None = None,
+) -> AdminUser:
+    """Create a new admin user.
+
+    Args:
+        email: Admin email (must be unique)
+        password: Plain text password (will be hashed)
+        session: Database session
+        name: Optional display name
+
+    Returns:
+        Created AdminUser
+
+    Raises:
+        ValueError: If email already exists
+    """
+    # Check if email already exists
+    existing = await get_admin_by_email(email, session)
+    if existing:
+        raise ValueError(f"Admin user with email {email} already exists")
+
+    admin = AdminUser(
+        email=email,
+        password_hash=hash_password(password),
+        name=name,
+    )
+    session.add(admin)
+    await session.commit()
+    await session.refresh(admin)
+
+    return admin
+
+
+def is_authenticated(connection: ASGIConnection[Any, Any, Any, Any]) -> bool:
+    """Check if the current request has an authenticated admin session.
+
+    Args:
+        connection: The ASGI connection
+
+    Returns:
+        True if authenticated, False otherwise
+    """
+    session_data = connection.session
+    return session_data.get("admin_id") is not None
+
+
+async def require_admin_auth(
+    connection: ASGIConnection[Any, Any, Any, Any], _: BaseRouteHandler
+) -> None:
+    """Guard that requires admin authentication.
+
+    Use this guard on routes that should only be accessible to logged-in admins.
+
+    Raises:
+        NotAuthorizedException: If not authenticated (will redirect to login)
+    """
+    if not is_authenticated(connection):
+        # For API endpoints, return 401
+        # For browser requests, redirect to login
+        accept = connection.headers.get("accept", "")
+        if "text/html" in accept:
+            raise NotAuthorizedException(
+                detail="Authentication required",
+                extra={"redirect_to": "/admin/login"},
+            )
+        raise NotAuthorizedException(detail="Authentication required")
+
+
+def login_admin(connection: ASGIConnection[Any, Any, Any, Any], admin: AdminUser) -> None:
+    """Set up authenticated session for admin.
+
+    Args:
+        connection: The ASGI connection
+        admin: The authenticated admin user
+    """
+    connection.session["admin_id"] = admin.id
+    connection.session["admin_email"] = admin.email
+
+
+def logout_admin(connection: ASGIConnection[Any, Any, Any, Any]) -> None:
+    """Clear admin session.
+
+    Args:
+        connection: The ASGI connection
+    """
+    connection.session.clear()
+
+
+def get_redirect_for_unauthenticated() -> Redirect:
+    """Get redirect response to login page.
+
+    Returns:
+        Redirect to /admin/login
+    """
+    return Redirect(path="/admin/login", status_code=HTTP_303_SEE_OTHER)