v0.2 planning and ux improvements

nouri/auth.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import functools
+import secrets
 
 from flask import (
     Blueprint,
@@ -34,7 +35,7 @@ def login_required(view):
 def ensure_csrf_token() -> str:
     token = session.get("_csrf_token")
     if not token:
-        token = session["_csrf_token"] = __import__("secrets").token_hex(24)
+        token = session["_csrf_token"] = secrets.token_hex(24)
     return token
 
 
@@ -43,7 +44,8 @@ def inject_csrf_input():
     return {
         "csrf_input": lambda: Markup(
             f'<input type="hidden" name="csrf_token" value="{ensure_csrf_token()}">'
-        )
+        ),
+        "csrf_token_value": ensure_csrf_token(),
     }
 
 
@@ -87,7 +89,7 @@ def setup():
         elif not password:
             error = "Bitte ein Passwort vergeben."
         elif password != password_repeat:
-            error = "Die Passwoerter stimmen nicht ueberein."
+            error = "Die Passwörter stimmen nicht überein."
 
         if error is None:
             database = get_db()
@@ -115,6 +117,7 @@ def login():
     if request.method == "POST":
         username = request.form.get("username", "").strip().lower()
         password = request.form.get("password", "")
+        remember_me = request.form.get("remember_me") == "1"
         database = get_db()
         user = database.execute(
             "SELECT * FROM users WHERE username = ?",
@@ -127,6 +130,8 @@ def login():
 
         if error is None:
             session.clear()
+            # Opt-in long-lived session so the shared household device stays low-friction.
+            session.permanent = remember_me
             session["user_id"] = user["id"]
             ensure_csrf_token()
             return redirect(url_for("main.dashboard"))