# Portal Auth Admin Dashboard

Web dashboard to view and edit the `portal_auth` database. **Only users with role `admin`** in the `users` table can log in.

## Setup

1. Copy `.env.example` to `.env` and set:
   - `DB_AUTH_HOST`, `DB_AUTH_PORT`, `DB_AUTH_NAME`, `DB_AUTH_USER`, `DB_AUTH_PASSWORD` (same as your portal auth DB)
   - `SECRET_KEY` (random string for session signing)

2. Install dependencies:
   ```bash
   pip install -r requirements.txt
   ```

3. Run the app:
   ```bash
   python app.py
   ```
   By default it listens on `http://0.0.0.0:5000`.

## Features

- **Login**: Admin only (role = `admin`, `is_active` = true). Passwords verified with bcrypt (or legacy salt:hash).
- **Dashboard**: Links to each table.
- **Users**: View all; create new user; edit role (admin/support) and active flag; change password.
- **Sessions**: View active sessions; revoke (delete) a session.
- **Auth logs**: View only (append-only log).
- **API tokens**: View; activate/deactivate; delete.

## Git repository

- **URL:** http://10.20.30.250:3000/nearxos/portal-auth-dashboard  
- **Clone:** `git clone http://10.20.30.250:3000/nearxos/portal-auth-dashboard.git`

## Deployment to Auth LXC (10.110.60.210)

From your machine (with SSH access to the server):

```bash
./deploy/deploy.sh
```

This will:
- **First time:** Clone the repo from Git to `/opt/portal-auth-dashboard` on `root@10.110.60.210`, create venv, install dependencies, create `.env` from `deploy/.env.server` if missing, install and start the systemd unit.
- **Later runs:** Pull latest from `origin/main`, reinstall dependencies, restart the service.

If the Git server is not reachable from the deploy target (e.g. private repo), set `GIT_REPO_URL` with credentials before running:

```bash
export GIT_REPO_URL="http://nearxos:YOUR_TOKEN@10.20.30.250:3000/nearxos/portal-auth-dashboard.git"
./deploy/deploy.sh
```

**After first deploy**, on the server set the real credentials:

```bash
ssh root@10.110.60.210
nano /opt/portal-auth-dashboard/.env   # set DB_AUTH_PASSWORD and SECRET_KEY
systemctl restart portal-auth-dashboard
```

Dashboard URL: **http://10.110.60.210:5000**

### Manual deploy (if the script is not used)

On the server (Debian):

```bash
apt-get update && apt-get install -y python3-venv python3-pip rsync
mkdir -p /opt/portal-auth-dashboard
```

From your machine, sync the project (excluding `.env`, `venv`, `.git`), then on the server:

```bash
cd /opt/portal-auth-dashboard
python3 -m venv venv && ./venv/bin/pip install -r requirements.txt
cp deploy/.env.server .env   # then edit .env
cp deploy/portal-auth-dashboard.service /etc/systemd/system/
systemctl daemon-reload && systemctl enable --now portal-auth-dashboard
```

## Production notes

Run behind a reverse proxy (e.g. nginx) with HTTPS. Set `SECRET_KEY` and ensure the app can reach the Auth DB (on the same host use `DB_AUTH_HOST=127.0.0.1`).