Add dashboard router with session auth, announce endpoint, and WebSocket handler

- Login/logout/dashboard with HMAC-signed session cookies
- POST /admin/announce with session or bearer auth
- WS /ws/announce for subscribe/broadcast
- Static stubs: login.html, dashboard.html

Made-with: Cursor

src/ntr_fetcher/dashboard.py

@@ -0,0 +1,147 @@
+import hashlib
+import hmac
+import json
+import logging
+import time
+from pathlib import Path
+
+from fastapi import APIRouter, Request, HTTPException, Form, WebSocket, WebSocketDisconnect
+from fastapi.responses import HTMLResponse, RedirectResponse
+from pydantic import BaseModel
+
+from ntr_fetcher.db import Database
+from ntr_fetcher.websocket import AnnounceManager
+
+logger = logging.getLogger(__name__)
+
+STATIC_DIR = Path(__file__).parent / "static"
+SESSION_MAX_AGE = 86400
+
+
+def _sign(data: str, secret: str) -> str:
+    sig = hmac.new(secret.encode(), data.encode(), hashlib.sha256).hexdigest()
+    return f"{data}.{sig}"
+
+
+def _unsign(signed: str, secret: str, max_age: int = SESSION_MAX_AGE) -> str | None:
+    if "." not in signed:
+        return None
+    data, sig = signed.rsplit(".", 1)
+    expected = hmac.new(secret.encode(), data.encode(), hashlib.sha256).hexdigest()
+    if not hmac.compare_digest(sig, expected):
+        return None
+    try:
+        payload = json.loads(data)
+        if time.time() - payload.get("t", 0) > max_age:
+            return None
+        return payload.get("user")
+    except (json.JSONDecodeError, KeyError):
+        return None
+
+
+class AnnounceRequest(BaseModel):
+    show_id: int
+    position: int
+
+
+def create_dashboard_router(
+    db: Database,
+    manager: AnnounceManager,
+    admin_token: str,
+    web_user: str,
+    web_password: str,
+    secret_key: str,
+    show_day: int = 2,
+    show_hour: int = 22,
+) -> APIRouter:
+    router = APIRouter()
+
+    def _get_session_user(request: Request) -> str | None:
+        cookie = request.cookies.get("ntr_session")
+        if not cookie:
+            return None
+        return _unsign(cookie, secret_key)
+
+    @router.get("/login", response_class=HTMLResponse)
+    def login_page():
+        html = (STATIC_DIR / "login.html").read_text()
+        return HTMLResponse(html)
+
+    @router.post("/login")
+    def login_submit(username: str = Form(...), password: str = Form(...)):
+        if username == web_user and password == web_password:
+            payload = json.dumps({"user": username, "t": int(time.time())})
+            cookie_value = _sign(payload, secret_key)
+            response = RedirectResponse(url="/dashboard", status_code=303)
+            response.set_cookie(
+                "ntr_session",
+                cookie_value,
+                max_age=SESSION_MAX_AGE,
+                httponly=True,
+                samesite="lax",
+            )
+            return response
+        html = (STATIC_DIR / "login.html").read_text()
+        html = html.replace("<!--ERROR-->", '<p class="error">Invalid username or password</p>')
+        return HTMLResponse(html, status_code=200)
+
+    @router.get("/logout")
+    def logout():
+        response = RedirectResponse(url="/login", status_code=303)
+        response.delete_cookie("ntr_session")
+        return response
+
+    @router.get("/dashboard", response_class=HTMLResponse)
+    def dashboard(request: Request):
+        user = _get_session_user(request)
+        if user is None:
+            return RedirectResponse(url="/login", status_code=303)
+        html = (STATIC_DIR / "dashboard.html").read_text()
+        html = html.replace("{{WS_TOKEN}}", admin_token)
+        return HTMLResponse(html)
+
+    @router.post("/admin/announce")
+    async def announce(body: AnnounceRequest, request: Request):
+        user = _get_session_user(request)
+        if user is None:
+            auth_header = request.headers.get("authorization", "")
+            if not auth_header.startswith("Bearer ") or auth_header.removeprefix("Bearer ") != admin_token:
+                raise HTTPException(status_code=401, detail="Unauthorized")
+
+        track = db.get_show_track_by_position(body.show_id, body.position)
+        if track is None:
+            raise HTTPException(status_code=404, detail=f"No track at position {body.position}")
+
+        message = (
+            f"Now Playing: Song #{track['position']}: "
+            f"{track['title']} by {track['artist']} - {track['permalink_url']}"
+        )
+        await manager.broadcast({"type": "announce", "message": message})
+        return {"status": "announced", "message": message}
+
+    @router.websocket("/ws/announce")
+    async def ws_announce(websocket: WebSocket):
+        await websocket.accept()
+        try:
+            auth_msg = await websocket.receive_json()
+            if auth_msg.get("type") != "subscribe" or auth_msg.get("token") != admin_token:
+                await websocket.close(code=4001, reason="Invalid token")
+                return
+
+            manager.add_subscriber(websocket)
+            await manager.broadcast_status()
+            try:
+                while True:
+                    await websocket.receive_text()
+            except WebSocketDisconnect:
+                pass
+        except WebSocketDisconnect:
+            pass
+        finally:
+            manager.remove_subscriber(websocket)
+            try:
+                await manager.broadcast_status()
+            except Exception:
+                pass
+
+    return router

src/ntr_fetcher/static/dashboard.html

@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html><head><title>Dashboard</title></head>
+<body><h1>NtR Playlist Dashboard</h1>
+<script>const WS_TOKEN = "{{WS_TOKEN}}";</script>
+</body></html>

src/ntr_fetcher/static/login.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html><head><title>Login</title></head>
+<body>
+<!--ERROR-->
+<form method="post" action="/login">
+<label>Username <input name="username"></label>
+<label>Password <input name="password" type="password"></label>
+<button type="submit">Login</button>
+</form>
+</body></html>