Feat/webserver auth

[cchwala]

feat/webserver-auth — Flask-Login, per-request SET LOCAL ROLE, secure views

What this PR does

Adds authentication to the webserver and enforces per-user data isolation at the database level for every request.

Changes

Authentication (Flask-Login)

• All routes protected with @login_required; unauthenticated requests redirect to /login
• Session-based login/logout at /login and /logout
• Users loaded from webserver/configs/users.json (scrypt-hashed passwords via werkzeug)
• Open-redirect protection on the next parameter

Per-request DB role scoping

• New user_db_scope(user_id) context manager: connects as webserver_role, issues SET LOCAL ROLE <user_id> using psycopg2.sql.Identifier (not string interpolation), yields connection, commits/rolls back, closes
• SET LOCAL is automatically reverted at transaction end — role bleed between requests is impossible
• All data routes switched to user_db_scope and the security-barrier views (cml_data_secure, cml_data_1h_secure) instead of raw tables

Configuration

• docker-compose.yml: webserver now connects as webserver_role, SECRET_KEY and USERS_CONFIG_PATH added as env vars, configs/ volume mounted read-only
• webserver/requirements.txt: Flask-Login==0.6.3 added

Tests (main.py coverage 39% → 49%)

• test_auth.py: protected route redirects, login (valid/invalid/unknown), open-redirect blocked, logout clears session
• test_user_db_scope.py: unknown user rejected before any DB call, rollback on exception, SET LOCAL ROLE uses pgsql.Composable
• test_helpers.py: safe_float edge cases, load_user known/unknown
• test_api_routes.py: /api/cml-metadata, /api/cml-map, /api/data-time-range (both branches)
• Updated test_api_cml_stats.py for new auth layer

Docs

• webserver/README.md: user management, password hash generation, adding users
• docs/multi-user-architecture.md: PR8 (feat/grafana-auth-proxy) planned and documented

Known gap

Grafana currently connects as myuser (superuser) and bypasses RLS — it sees all tenants' data. The /grafana/ proxy is gated by @login_required so unauthenticated access is blocked, but data isolation inside Grafana is not yet enforced. This is addressed in the next PR (feat/grafana-auth-proxy).

Security notes

• Role name passed to SET LOCAL ROLE via pgsql.Identifier, never string-formatted — SQL injection not possible
• user_id is allowlisted against USERS before any SQL is composed
• Passwords stored as scrypt hashes; never logged or returned in responses
• SECRET_KEY defaults to os.urandom(32) in dev; production should set it via env

[codecov]

Codecov Report

❌ Patch coverage is 74.38017% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.18%. Comparing base (b269a79) to head (37e1f05).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
webserver/main.py	74.38%	31 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #40      +/-   ##
==========================================
+ Coverage   78.77%   81.18%   +2.41%     
==========================================
  Files          24       24              
  Lines        2327     2371      +44     
==========================================
+ Hits         1833     1925      +92     
+ Misses        494      446      -48     

Flag	Coverage Δ
mno_simulator	86.72% <ø> (ø)
parser	85.48% <ø> (ø)
webserver	63.21% <74.38%> (+14.32%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.