Add password protection system

- Implement password protection page with session persistence
- Add API authentication middleware with password verification
- Create /api/verify-password endpoint
- Configure APP_PASSWORD environment variable (3030)
- Fix CORS preflight requests being blocked by auth middleware
- Update frontend to handle password verification flow
- Add X-Password-Verified header to authenticated API requests

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

backend/app/config/settings.py

@@ -24,8 +24,14 @@ class Settings(BaseSettings):
     # Text Limits
     max_text_length: int = 10000
     
+    # Security
+    app_password: str = ""
+    
     class Config:
         env_file = ".env"
         case_sensitive = False
 
-settings = Settings()
+settings = Settings()
+
+def get_settings():
+    return settings

backend/app/models/grading.py

@@ -54,4 +54,11 @@ class AgentInfo(BaseModel):
 
 class AgentsListResponse(BaseModel):
     version: int
-    agents: List[AgentInfo]
+    agents: List[AgentInfo]
+
+class PasswordVerifyRequest(BaseModel):
+    password: str = Field(..., description="Password to verify")
+
+class PasswordVerifyResponse(BaseModel):
+    success: bool = Field(..., description="Whether password is correct")
+    message: Optional[str] = None

backend/app/routers/grading.py

@@ -5,10 +5,13 @@ from app.models.grading import (
     GradeRequest, 
     GradeResponse, 
     AgentsListResponse,
-    AgentInfo
+    AgentInfo,
+    PasswordVerifyRequest,
+    PasswordVerifyResponse
 )
 from app.config.agents import get_agents_config
 from app.services.openai_service import get_openai_service
+from app.config.settings import get_settings
 
 logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/api", tags=["grading"])
@@ -98,6 +101,30 @@ async def grade_text(request: GradeRequest):
             }
         )
 
+@router.post("/verify-password", response_model=PasswordVerifyResponse)
+async def verify_password(request: PasswordVerifyRequest):
+    """Verify password for platform access"""
+    try:
+        settings = get_settings()
+        correct_password = settings.app_password or "3030"
+        
+        if request.password == correct_password:
+            return PasswordVerifyResponse(
+                success=True,
+                message="Password verified successfully"
+            )
+        else:
+            return PasswordVerifyResponse(
+                success=False,
+                message="Incorrect password"
+            )
+    except Exception as e:
+        logger.error(f"Error verifying password: {str(e)}")
+        return PasswordVerifyResponse(
+            success=False,
+            message="Password verification failed"
+        )
+
 @router.get("/health")
 async def health_check():
     """Health check endpoint"""

backend/main.py

@@ -11,6 +11,7 @@ load_dotenv(".env")
 
 from app.config.settings import settings
 from app.routers import grading
+from app.middleware.password_auth import PasswordProtectionMiddleware
 
 # Configure logging
 logging.basicConfig(
@@ -44,6 +45,9 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
+# Add password protection middleware
+app.add_middleware(PasswordProtectionMiddleware)
+
 # Include routers
 app.include_router(grading.router)
 

frontend/src/App.tsx

@@ -3,8 +3,10 @@ import './App.css';
 import type { Agent, GradeResult } from './types/index';
 import { gradingApi } from './api/grading';
 import AssistantGuide from './AssistantGuide';
+import PasswordProtection from './components/PasswordProtection';
 
 function App() {
+  const [isPasswordVerified, setIsPasswordVerified] = useState<boolean>(false);
   const [currentView, setCurrentView] = useState<'grading' | 'guide'>('grading');
   const [agents, setAgents] = useState<Agent[]>([]);
   const [selectedAgent, setSelectedAgent] = useState<string>('');
@@ -106,9 +108,19 @@ function App() {
   const currentLabels = labels[selectedLanguage as 'zh' | 'en'] || labels.zh;
 
   useEffect(() => {
-    loadAgents();
+    // Check if password is already verified
+    const savedPassword = sessionStorage.getItem('app_password_verified');
+    if (savedPassword === 'true') {
+      setIsPasswordVerified(true);
+      loadAgents();
+    }
   }, []);
 
+  const handlePasswordCorrect = () => {
+    setIsPasswordVerified(true);
+    loadAgents();
+  };
+
   const loadAgents = async () => {
     try {
       const agentsList = await gradingApi.getAgents();
@@ -164,6 +176,11 @@ function App() {
   // 取得當前選中的 agent
   const currentAgent = agents.find(a => a.key === selectedAgent);
 
+  // Show password protection if not verified
+  if (!isPasswordVerified) {
+    return <PasswordProtection onPasswordCorrect={handlePasswordCorrect} />;
+  }
+
   return (
     <div className="App">
       <header className="app-header">

frontend/src/api/grading.ts

@@ -10,6 +10,15 @@ const api = axios.create({
   },
 });
 
+// Add password verification interceptor
+api.interceptors.request.use((config) => {
+  const passwordVerified = sessionStorage.getItem('app_password_verified');
+  if (passwordVerified === 'true') {
+    config.headers['X-Password-Verified'] = 'true';
+  }
+  return config;
+});
+
 export const gradingApi = {
   async getAgents(): Promise<Agent[]> {
     const response = await api.get<AgentsResponse>('/agents');
@@ -20,4 +29,9 @@ export const gradingApi = {
     const response = await api.post<GradeResponse>('/grade', request);
     return response.data;
   },
+
+  async verifyPassword(password: string): Promise<{success: boolean, message?: string}> {
+    const response = await axios.post(`${API_BASE_URL}/verify-password`, { password });
+    return response.data;
+  },
 };