Add optional web UI authentication and CONTRIBUTING.md

- Session-based login with configurable admin password
- All routes except /health and /setup protected when enabled
- Admin password encrypted at rest, configurable in Settings
- Logout link in sidebar, login page with i18n (EN/DE)
- CONTRIBUTING.md with dev setup, guidelines, modem driver docs
- 82 tests (12 new auth tests)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: itsDNNS

.env.example

@@ -19,3 +19,6 @@ POLL_INTERVAL=300
 WEB_PORT=8765
 HISTORY_DAYS=7
 DATA_DIR=/data
+
+# Authentication (optional - leave empty to disable)
+ADMIN_PASSWORD=

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 Versioning: `YYYY-MM-DD.N` (date + sequential build number per day)
 
+## [2026-02-09.13]
+
+### Added
+- **Web UI authentication**: Optional admin password protects all routes except `/health`; configurable in Settings
+- **Login page**: Clean login form with i18n support (EN/DE)
+- **Logout**: Session-based auth with logout link in sidebar
+- **CONTRIBUTING.md**: Guidelines for contributors and modem driver development
+
 ## [2026-02-09.12]
 
 ### Added

CONTRIBUTING.md

@@ -0,0 +1,59 @@
+# Contributing to DOCSight
+
+Thanks for your interest in contributing!
+
+## Development Setup
+
+```bash
+git clone https://github.com/itsDNNS/docsight.git
+cd docsight
+pip install -r requirements.txt
+pip install pytest
+```
+
+## Running Tests
+
+```bash
+python -m pytest tests/ -v
+```
+
+## Running Locally
+
+```bash
+python -m app.main
+```
+
+Open `http://localhost:8765` to access the setup wizard.
+
+## Project Structure
+
+```
+app/
+  main.py          - Entrypoint, polling loop, thread management
+  web.py           - Flask routes and API endpoints
+  analyzer.py      - DOCSIS channel health analysis
+  fritzbox.py      - FritzBox data.lua API client
+  config.py        - Configuration management (env + config.json)
+  storage.py       - SQLite snapshot storage
+  mqtt_publisher.py - MQTT Auto-Discovery for Home Assistant
+  i18n.py          - Translation strings (EN/DE)
+  templates/       - Jinja2 HTML templates
+tests/             - pytest test suite
+```
+
+## Guidelines
+
+- Keep changes focused and minimal
+- Add tests for new functionality
+- Maintain English and German translations in `app/i18n.py`
+- CHANGELOG entries must be in English
+- Run the full test suite before submitting a PR
+
+## Adding Modem Support
+
+DOCSight currently supports AVM FRITZ!Box Cable routers. To add support for another modem:
+
+1. Create a new module in `app/` (e.g., `app/arris.py`)
+2. Implement `login()`, `get_docsis_data()`, and `get_device_info()` matching the FritzBox API
+3. Return data in the same format as `fritzbox.get_docsis_data()` so the analyzer works unchanged
+4. Update `main.py` to select the modem driver based on configuration

app/config.py

@@ -12,7 +12,7 @@
 POLL_MIN = 60
 POLL_MAX = 3600
 
-SECRET_KEYS = {"fritz_password", "mqtt_password"}
+SECRET_KEYS = {"fritz_password", "mqtt_password", "admin_password"}
 PASSWORD_MASK = "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022"
 
 DEFAULTS = {
@@ -31,6 +31,7 @@
     "theme": "dark",
     "language": "en",
     "isp_name": "",
+    "admin_password": "",
 }
 
 ENV_MAP = {
@@ -46,6 +47,7 @@
     "web_port": "WEB_PORT",
     "history_days": "HISTORY_DAYS",
     "data_dir": "DATA_DIR",
+    "admin_password": "ADMIN_PASSWORD",
 }
 
 INT_KEYS = {"mqtt_port", "poll_interval", "web_port", "history_days"}

app/i18n.py

@@ -163,6 +163,15 @@
     "copied": "Copied!",
     "close": "Close",
     "export_no_data": "No data available yet. Wait for the first poll.",
+
+    # Auth
+    "login_title": "Login",
+    "login_hint": "Enter the admin password to access DOCSight.",
+    "login_failed": "Invalid password",
+    "login_button": "Login",
+    "logout": "Logout",
+    "admin_password": "Admin Password",
+    "admin_password_hint": "Leave empty to disable authentication",
 }
 
 DE = {
@@ -310,6 +319,14 @@
     "copied": "Kopiert!",
     "close": "Schliessen",
     "export_no_data": "Noch keine Daten vorhanden. Warte auf die erste Abfrage.",
+
+    "login_title": "Anmeldung",
+    "login_hint": "Gib das Admin-Passwort ein, um auf DOCSight zuzugreifen.",
+    "login_failed": "Falsches Passwort",
+    "login_button": "Anmelden",
+    "logout": "Abmelden",
+    "admin_password": "Admin-Passwort",
+    "admin_password_hint": "Leer lassen um Authentifizierung zu deaktivieren",
 }
 
 _TRANSLATIONS = {"en": EN, "de": DE}

app/templates/index.html

@@ -364,6 +364,11 @@
         <a class="sidebar-link" id="export-link" onclick="exportForLLM()">
             <span class="icon">&#128196;</span> {{ t.export_llm }}
         </a>
+        {% if auth_enabled %}
+        <a class="sidebar-link" href="/logout">
+            <span class="icon">&#128682;</span> {{ t.logout }}
+        </a>
+        {% endif %}
         <div class="sidebar-divider"></div>
         <details class="sidebar-ref">
             <summary>{{ t.reference_values }}</summary>

app/templates/login.html

@@ -0,0 +1,108 @@
+<!DOCTYPE html>
+<html lang="{{ lang }}" data-theme="{{ theme|default('dark') }}">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>DOCSight - {{ t.login_title }}</title>
+    <style>
+        :root, [data-theme="dark"] {
+            --bg: #1a1a2e;
+            --surface: #16213e;
+            --card: #0f3460;
+            --text: #e0e0e0;
+            --muted: #888;
+            --crit: #f44336;
+            --accent: #00adb5;
+            --input-bg: #0d1b3e;
+            --input-border: rgba(255,255,255,0.15);
+        }
+        [data-theme="light"] {
+            --bg: #f0f2f5;
+            --surface: #ffffff;
+            --card: #e8edf2;
+            --text: #1a1a2e;
+            --muted: #666;
+            --crit: #c62828;
+            --accent: #00838f;
+            --input-bg: #f8f9fa;
+            --input-border: rgba(0,0,0,0.15);
+        }
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+            background: var(--bg);
+            color: var(--text);
+            min-height: 100vh;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+        }
+        .login-box {
+            background: var(--surface);
+            border-radius: 12px;
+            padding: 2.5rem;
+            width: 100%;
+            max-width: 380px;
+            box-shadow: 0 4px 24px rgba(0,0,0,0.3);
+        }
+        .login-box h1 {
+            font-size: 1.5rem;
+            margin-bottom: 0.25rem;
+        }
+        .login-box .hint {
+            color: var(--muted);
+            font-size: 0.85rem;
+            margin-bottom: 1.5rem;
+        }
+        .login-box .error {
+            background: rgba(244,67,54,0.15);
+            color: var(--crit);
+            padding: 0.5rem 0.75rem;
+            border-radius: 6px;
+            font-size: 0.85rem;
+            margin-bottom: 1rem;
+        }
+        .login-box input[type="password"] {
+            width: 100%;
+            padding: 0.65rem 0.75rem;
+            border-radius: 6px;
+            border: 1px solid var(--input-border);
+            background: var(--input-bg);
+            color: var(--text);
+            font-size: 1rem;
+            margin-bottom: 1rem;
+        }
+        .login-box input:focus {
+            outline: none;
+            border-color: var(--accent);
+        }
+        .login-box button {
+            width: 100%;
+            padding: 0.65rem;
+            border-radius: 6px;
+            border: none;
+            background: var(--accent);
+            color: #fff;
+            font-size: 1rem;
+            font-weight: 600;
+            cursor: pointer;
+        }
+        .login-box button:hover {
+            opacity: 0.9;
+        }
+    </style>
+</head>
+<body>
+    <div class="login-box">
+        <h1>DOCSight</h1>
+        <p class="hint">{{ t.login_hint }}</p>
+        {% if error %}
+        <div class="error">{{ error }}</div>
+        {% endif %}
+        <form method="POST">
+            <input type="password" name="password" placeholder="{{ t.password }}" autofocus required>
+            <button type="submit">{{ t.login_button }}</button>
+        </form>
+    </div>
+</body>
+</html>

app/templates/settings.html

@@ -246,6 +246,11 @@ <h2>{{ t.general }}</h2>
                     {% endfor %}
                 </select>
             </div>
+            <div class="form-row">
+                <label for="admin_password">{{ t.admin_password }}</label>
+                <input type="password" id="admin_password" name="admin_password" value="{{ config.admin_password }}" placeholder="{{ t.admin_password_hint }}">
+                <span class="hint">{{ t.admin_password_hint }}</span>
+            </div>
         </div>
     </div>
 
@@ -286,7 +291,7 @@ <h2>{{ t.general }}</h2>
 }
 
 var MASK = '\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022';
-var SECRET_FIELDS = ['fritz_password', 'mqtt_password'];
+var SECRET_FIELDS = ['fritz_password', 'mqtt_password', 'admin_password'];
 
 function getFormData() {
     var form = document.getElementById('settings-form');

app/web.py

@@ -1,17 +1,20 @@
 """Flask web UI for DOCSight – DOCSIS channel monitoring."""
 
+import functools
 import logging
+import os
 import time
 from datetime import datetime, timedelta
 
-from flask import Flask, render_template, request, jsonify, redirect
+from flask import Flask, render_template, request, jsonify, redirect, session, url_for
 
 from .config import POLL_MIN, POLL_MAX, PASSWORD_MASK, SECRET_KEYS
 from .i18n import get_translations, LANGUAGES
 
 log = logging.getLogger("docsis.web")
 
 app = Flask(__name__, template_folder="templates")
+app.secret_key = os.environ.get("FLASK_SECRET_KEY", os.urandom(32))
 
 
 @app.template_filter("fmt_k")
@@ -67,6 +70,56 @@ def init_config(config_manager, on_config_changed=None):
     _on_config_changed = on_config_changed
 
 
+def _auth_required():
+    """Check if auth is enabled and user is not logged in."""
+    if not _config_manager:
+        return False
+    admin_pw = _config_manager.get("admin_password", "")
+    if not admin_pw:
+        return False
+    return not session.get("authenticated")
+
+
+def require_auth(f):
+    """Decorator: redirect to /login if auth is enabled and not logged in."""
+    @functools.wraps(f)
+    def decorated(*args, **kwargs):
+        if _auth_required():
+            return redirect("/login")
+        return f(*args, **kwargs)
+    return decorated
+
+
+@app.route("/login", methods=["GET", "POST"])
+def login():
+    if not _config_manager or not _config_manager.get("admin_password", ""):
+        return redirect("/")
+    lang = _get_lang()
+    t = get_translations(lang)
+    theme = _config_manager.get_theme() if _config_manager else "dark"
+    error = None
+    if request.method == "POST":
+        pw = request.form.get("password", "")
+        if pw == _config_manager.get("admin_password", ""):
+            session["authenticated"] = True
+            return redirect("/")
+        error = t.get("login_failed", "Invalid password")
+    return render_template("login.html", t=t, lang=lang, theme=theme, error=error)
+
+
+@app.route("/logout")
+def logout():
+    session.pop("authenticated", None)
+    return redirect("/login")
+
+
+@app.context_processor
+def inject_auth():
+    """Make auth_enabled available in all templates."""
+    auth_enabled = bool(_config_manager and _config_manager.get("admin_password", ""))
+    return {"auth_enabled": auth_enabled}
+
+
 def update_state(analysis=None, error=None, poll_interval=None, connection_info=None):
     """Update the shared web state from the main loop."""
     if analysis is not None:
@@ -82,6 +135,7 @@ def update_state(analysis=None, error=None, poll_interval=None, connection_info=
 
 
 @app.route("/")
+@require_auth
 def index():
     if _config_manager and not _config_manager.is_configured():
         return redirect("/setup")
@@ -134,6 +188,7 @@ def setup():
 
 
 @app.route("/settings")
+@require_auth
 def settings():
     config = _config_manager.get_all(mask_secrets=True) if _config_manager else {}
     theme = _config_manager.get_theme() if _config_manager else "dark"
@@ -143,6 +198,7 @@ def settings():
 
 
 @app.route("/api/config", methods=["POST"])
+@require_auth
 def api_config():
     """Save configuration."""
     if not _config_manager:
@@ -168,6 +224,7 @@ def api_config():
 
 
 @app.route("/api/test-fritz", methods=["POST"])
+@require_auth
 def api_test_fritz():
     """Test FritzBox connection."""
     try:
@@ -189,6 +246,7 @@ def api_test_fritz():
 
 
 @app.route("/api/test-mqtt", methods=["POST"])
+@require_auth
 def api_test_mqtt():
     """Test MQTT broker connection."""
     try: