Security: remove auto-login demo endpoint, require password for demo_user

app.py

@@ -373,41 +373,6 @@ async def login(login_data: LoginRequest, response: Response):
         pass
     return result
 
-@app.get("/api/auth/demo-login", response_model=DemoLoginResponse, tags=["Authentication"])
-async def demo_login(response: Response):
-    """Auto-login for demo mode"""
-    # Always allow demo login - no settings check needed
-    
-    # Create a new demo session
-    result = auth_manager.create_demo_session()
-    if not result:
-        raise HTTPException(
-            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
-            detail="Could not create demo session"
-        )
-    
-    # Set authentication cookie for web page requests (12 hour expiry)
-    response.set_cookie(
-        key="auth_token",
-        value=result["token"],
-        max_age=12*60*60,  # 12 hours for demo duration
-        httponly=True,
-        secure=True,
-        samesite="lax"
-    )
-    
-    logger.info("Demo user logged in via demo button")
-    
-    return DemoLoginResponse(
-        token=result["token"],
-        user={
-            "username": result["user"]["username"],
-            "role": result["user"]["role"],
-            "full_name": result["user"]["full_name"],
-            "permissions": result["user"]["permissions"]
-        },
-        is_demo_mode=True
-    )
 
 @app.get("/api/auth/validate", tags=["Authentication"])
 async def validate_session(user: Dict[str, Any] = Depends(require_auth)):

auth.py

@@ -28,9 +28,10 @@ class AuthManager:
         admin_password = os.getenv('ADMIN_PASSWORD', DEV_PASSWORDS['ADMIN_PASSWORD'])
         ishita_password = os.getenv('ISHITA_PASSWORD', DEV_PASSWORDS['ISHITA_PASSWORD'])
         jeeb_password = os.getenv('JEEB_PASSWORD', DEV_PASSWORDS['JEEB_PASSWORD'])
+        demo_password = os.getenv('DEMO_PASSWORD', DEV_PASSWORDS.get('DEMO_PASSWORD'))
         
         # Warn if using development passwords
-        env_vars = ['AALEKH_PASSWORD', 'ADMIN_PASSWORD', 'ISHITA_PASSWORD', 'JEEB_PASSWORD']
+        env_vars = ['AALEKH_PASSWORD', 'ADMIN_PASSWORD', 'ISHITA_PASSWORD', 'JEEB_PASSWORD', 'DEMO_PASSWORD']
         missing_vars = [var for var in env_vars if not os.getenv(var)]
         if missing_vars:
             logger.warning(f"Using default development passwords for: {', '.join(missing_vars)}. Set these environment variables for production!")
@@ -70,7 +71,7 @@ class AuthManager:
             
             # Demo account for public demonstrations
             "demo_user": {
-                "password_hash": self._hash_password("demo_access_2024"),
+                "password_hash": self._hash_password(demo_password),
                 "role": "demo_user",
                 "full_name": "Demo Account",
                 "permissions": ["read", "demo_view", "demo_interact", "map_view", "demo_navigation"]

static/index.html

@@ -947,7 +947,7 @@
         // Force refresh if we detect cached version
         (function() {
             const currentVersion = '5.1.1';
-            const timestamp = '1762281121'; // Cache-busting bump
+            const timestamp = '1762281551'; // Cache-busting bump
             const lastVersion = sessionStorage.getItem('treetrack_version');
             const lastTimestamp = sessionStorage.getItem('treetrack_timestamp');
             
@@ -1193,7 +1193,7 @@
         </div>
     </div>
 
-    <script type="module" src="/static/js/tree-track-app.js?v=5.1.1&t=1762281121"></script>
+    <script type="module" src="/static/js/tree-track-app.js?v=5.1.1&t=1762281551"></script>
     
     <script>
         // Idle-time prefetch of map assets to speed up first navigation

static/login.html

@@ -358,9 +358,9 @@
             </button>
             
             <div class="accounts-dropdown" id="accountsDropdown">
-                <button class="account-item demo-account" onclick="selectDemoAccount(event)">
+                <button class="account-item demo-account" onclick="selectAccount('demo_user', event)">
                     <div class="account-role">Demo Account</div>
-                    <div class="account-username">Public demonstration access</div>
+                    <div class="account-username">demo_user (requires password)</div>
                 </button>
                 <button class="account-item" onclick="selectAccount('aalekh', event)">
                     <div class="account-role">Aalekh (Admin)</div>
@@ -400,39 +400,6 @@
             }
         }
 
-        function selectDemoAccount(event) {
-            // Directly log in to demo account
-            event.preventDefault();
-            
-            setLoading(true);
-            
-            // Call demo login API
-            fetch('/api/auth/demo-login', {
-                method: 'GET'
-            })
-            .then(response => response.json())
-            .then(result => {
-                if (result.token) {
-                    // Store authentication token
-                    localStorage.setItem('auth_token', result.token);
-                    localStorage.setItem('user_info', JSON.stringify(result.user));
-                    
-                    showMessage('Demo access granted! Redirecting...', 'success');
-                    
-                    // Redirect to welcome screen for demo users
-                    setTimeout(() => {
-                        window.location.href = '/welcome';
-                    }, 1500);
-                } else {
-                    throw new Error('Demo mode not available');
-                }
-            })
-            .catch(error => {
-                console.error('Demo login error:', error);
-                showMessage('Demo mode is not currently available. Please try again later.');
-                setLoading(false);
-            });
-        }
         
         function selectAccount(username, event) {
             document.getElementById('username').value = username;

static/map.html

@@ -968,7 +968,7 @@
         // Force refresh if we detect cached version
         (function() {
             const currentVersion = '5.1.1';
-const timestamp = '1762281121'; // Current timestamp for cache busting
+const timestamp = '1762281551'; // Current timestamp for cache busting
             const lastVersion = sessionStorage.getItem('treetrack_version');
             const lastTimestamp = sessionStorage.getItem('treetrack_timestamp');
             
@@ -1137,7 +1137,7 @@ const timestamp = '1762281121'; // Current timestamp for cache busting
     <script src="https://unpkg.com/leaflet@1.9.4/dist/leaflet.js"></script>
     <!-- Leaflet MarkerCluster JS for performance and grouping -->
     <script src="https://unpkg.com/leaflet.markercluster@1.4.1/dist/leaflet.markercluster.js"></script>
-<script src="/static/map.js?v=5.1.1&t=1762281121"></script>
+<script src="/static/map.js?v=5.1.1&t=1762281551"></script>
     <script>
         console.log('🗺️ Map script loaded successfully');
     </script>

static/sw.js

@@ -1,5 +1,5 @@
 // TreeTrack Service Worker - PWA and Offline Support
-const VERSION = 1762281121; // Cache busting bump - force clients to fetch new static assets and header image change
+const VERSION = 1762281551; // Cache busting bump - force clients to fetch new static assets and header image change
 const CACHE_NAME = `treetrack-v${VERSION}`;
 const STATIC_CACHE = `static-v${VERSION}`;
 const API_CACHE = `api-v${VERSION}`;

version.json

@@ -1,4 +1,4 @@
 {
   "version": "5.1.1",
-  "timestamp": 1762281121
+  "timestamp": 1762281551
 }