demo/auth.py

"""
Simple Password Authentication for SPARKNET

Provides password-based access control for the Streamlit app.

SECURITY NOTES:
---------------
This module provides basic password authentication suitable for demos
and internal deployments. For production use, consider:

1. ENHANCED AUTHENTICATION:
   - Integrate with OAuth/OIDC (Google, Azure AD, Okta)
   - Use Streamlit's built-in OAuth support
   - Implement multi-factor authentication (MFA)

2. SESSION MANAGEMENT:
   - Configure session timeouts (default: browser session)
   - Implement session invalidation on logout
   - Consider IP-based session binding

3. PASSWORD SECURITY:
   - Use strong password requirements
   - Implement account lockout after failed attempts
   - Store passwords hashed with bcrypt (not SHA-256) for production

4. AUDIT LOGGING:
   - Log authentication attempts (success/failure)
   - Track user sessions
   - Monitor for suspicious activity

GDPR CONSIDERATIONS:
-------------------
- Authentication logs may contain personal data (usernames, IPs)
- Implement data retention policies for auth logs
- Support right-to-erasure for user accounts
- Document authentication processing in GDPR records

PRIVATE DEPLOYMENT:
------------------
For enterprise deployments:
- Integrate with existing identity providers
- Use LDAP/Active Directory for user management
- Implement role-based access control (RBAC)
- Enable single sign-on (SSO)

See SECURITY.md for comprehensive security documentation.
"""

import streamlit as st
import hashlib
import hmac
from typing import Optional


def hash_password(password: str) -> str:
    """Hash a password for secure storage."""
    return hashlib.sha256(password.encode()).hexdigest()


def check_password() -> bool:
    """
    Show login form and verify password.

    Returns True if password is correct, False otherwise.

    Configure password in Streamlit secrets:
        [auth]
        password = "your-secure-password"

    Or set multiple users:
        [auth]
        passwords = { admin = "admin123", user1 = "pass123" }
    """

    def password_entered():
        """Check if entered password is correct."""
        # Safely get password from session state
        entered_password = st.session_state.get("password", "")

        if not entered_password:
            st.session_state["authenticated"] = False
            st.session_state["password_incorrect"] = True
            return

        # Get password(s) from secrets - try multiple locations
        stored_password = None

        # Try auth.password first
        try:
            if "auth" in st.secrets and "password" in st.secrets["auth"]:
                stored_password = str(st.secrets["auth"]["password"]).strip()
        except Exception:
            pass

        # Fallback: try root level password
        if not stored_password:
            try:
                if "password" in st.secrets:
                    stored_password = str(st.secrets["password"]).strip()
            except Exception:
                pass

        # Check single password
        if stored_password:
            # Use simple comparison (strip whitespace from both)
            if entered_password.strip() == stored_password:
                st.session_state["authenticated"] = True
                st.session_state["username"] = "user"
                if "password" in st.session_state:
                    del st.session_state["password"]
                return

        # Check multiple users (auth.passwords)
        try:
            if "auth" in st.secrets and "passwords" in st.secrets["auth"]:
                username = st.session_state.get("username_input", "")
                passwords = st.secrets["auth"]["passwords"]
                if username in passwords:
                    stored_user_pass = str(passwords[username]).strip()
                    if entered_password.strip() == stored_user_pass:
                        st.session_state["authenticated"] = True
                        st.session_state["username"] = username
                        if "password" in st.session_state:
                            del st.session_state["password"]
                        return
        except Exception:
            pass

        st.session_state["authenticated"] = False
        st.session_state["password_incorrect"] = True

    # Check if already authenticated
    if st.session_state.get("authenticated", False):
        return True

    # Show login form
    st.markdown("""
    <style>
    .login-container {
        max-width: 400px;
        margin: 100px auto;
        padding: 40px;
        background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
        border-radius: 15px;
        box-shadow: 0 10px 40px rgba(0,0,0,0.3);
    }
    .login-title {
        text-align: center;
        color: #4ECDC4;
        font-size: 2em;
        margin-bottom: 10px;
    }
    .login-subtitle {
        text-align: center;
        color: #8b949e;
        margin-bottom: 30px;
    }
    </style>
    """, unsafe_allow_html=True)

    col1, col2, col3 = st.columns([1, 2, 1])

    with col2:
        st.markdown('<div class="login-title">🔥 SPARKNET</div>', unsafe_allow_html=True)
        st.markdown('<div class="login-subtitle">Strategic Patent Acceleration & Research Kinetics NETwork</div>', unsafe_allow_html=True)
        st.markdown("""
        <div style="text-align: center; color: #8b949e; font-size: 0.85em; margin: 15px 0;">
            AI-powered Technology Transfer Office Automation<br/>
            <span style="color: #4ECDC4;">VISTA/Horizon EU Project</span>
        </div>
        """, unsafe_allow_html=True)

        st.markdown("---")

        # Check if we have multi-user setup
        has_multi_user = (
            "auth" in st.secrets and
            "passwords" in st.secrets["auth"]
        )

        if has_multi_user:
            st.text_input(
                "Username",
                key="username_input",
                placeholder="Enter username"
            )

        st.text_input(
            "Password",
            type="password",
            key="password",
            placeholder="Enter password",
            on_change=password_entered
        )

        if st.button("🔐 Login", type="primary", use_container_width=True):
            password_entered()

        if st.session_state.get("password_incorrect", False):
            st.error("😕 Incorrect password. Please try again.")

        st.markdown("---")
        st.caption("Contact administrator for access credentials.")

    return False


def logout():
    """Log out the current user."""
    st.session_state["authenticated"] = False
    st.session_state["username"] = None
    st.rerun()


def get_current_user() -> Optional[str]:
    """Get the current logged-in username."""
    return st.session_state.get("username")


def require_auth(func):
    """Decorator to require authentication for a page."""
    def wrapper(*args, **kwargs):
        if check_password():
            return func(*args, **kwargs)
    return wrapper


def show_logout_button():
    """Show logout button in sidebar."""
    if st.session_state.get("authenticated", False):
        with st.sidebar:
            st.markdown("---")
            user = get_current_user()
            st.caption(f"Logged in as: **{user}**")
            if st.button("🚪 Logout", use_container_width=True):
                logout()