feat: implement FastHTML app shell with auth/CSRF middleware (Step 7.1)

Add web layer foundation: - FastHTML app factory with Beforeware pattern - Auth middleware validating trusted proxy IPs and X-Oidc-Username header - CSRF dual-token validation (cookie + header + Origin/Referer) - Request ID generation (ULID) and NDJSON request logging - Role-based permission helpers (can_edit_event, can_delete_event) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-29 19:52:15 +00:00
parent eb9dc8eadd
commit 84225d865f
10 changed files with 1579 additions and 9 deletions
--- a/PLAN.md
+++ b/PLAN.md
@@ -249,15 +249,15 @@ Check off items as completed. Each phase builds on the previous.
 ## Phase 7: HTTP API

 ### Step 7.1: FastHTML App Shell
- [ ] Create `web/app.py` with FastHTML setup
- [ ] Configure HTMX extensions (head-support, preload, etc.)
- [ ] Create `web/middleware.py`:
-  - [ ] Auth middleware (X-Oidc-Username, TRUSTED_PROXY_IPS)
-  - [ ] CSRF middleware (cookie + header + Origin/Referer)
-  - [ ] Request logging (NDJSON format)
-  - [ ] Request ID generation
- [ ] Create `web/auth.py` with get_current_user, require_role
- [ ] Write tests: auth extraction, CSRF validation, untrusted IP rejection
+- [x] Create `web/app.py` with FastHTML setup
+- [x] Configure HTMX extensions (head-support, preload, etc.)
+- [x] Create `web/middleware.py`:
+  - [x] Auth middleware (X-Oidc-Username, TRUSTED_PROXY_IPS)
+  - [x] CSRF middleware (cookie + header + Origin/Referer)
+  - [x] Request logging (NDJSON format)
+  - [x] Request ID generation
+- [x] Create `web/auth.py` with get_current_user, require_role
+- [x] Write tests: auth extraction, CSRF validation, untrusted IP rejection
 - [ ] **Commit checkpoint**

 ### Step 7.2: Health & Static Assets