# Admin Authentication Setup This document explains how to set up admin authentication for the PromptAid Vision application. ## Environment Variables Add these environment variables to your `.env` file or Hugging Face Space secrets: ### Required Variables ```bash # Admin password for authentication ADMIN_PASSWORD=your-secure-admin-password-here # JWT secret key for token signing (use a strong, random key) JWT_SECRET_KEY=your-secure-jwt-secret-key-here ``` ### Optional Variables ```bash # Database connection DATABASE_URL=postgresql://username:password@localhost:5432/database_name # Storage configuration STORAGE_PROVIDER=local STORAGE_DIR=./uploads ``` ## How It Works ### 1. Admin Login - Users click "Admin Login" in the header navigation - They enter the admin password - If correct, they receive a JWT token valid for 24 hours ### 2. Authentication Flow - Frontend stores the JWT token in localStorage - Token is sent with each admin API request in Authorization header - Backend verifies token validity and role ### 3. Security Features - JWT tokens expire after 24 hours - Tokens are verified on each admin request - Password is stored in environment variables (not in code) ## API Endpoints ### POST `/api/admin/login` - **Purpose**: Authenticate admin user - **Body**: `{"password": "admin_password"}` - **Response**: `{"token": "jwt_token", "expires_at": "timestamp"}` ### POST `/api/admin/verify` - **Purpose**: Verify admin token - **Headers**: `Authorization: Bearer ` - **Response**: `{"valid": true/false, "message": "..."}` ### GET `/api/admin/status` - **Purpose**: Get admin status (protected endpoint) - **Headers**: `Authorization: Bearer ` - **Response**: `{"status": "authenticated", "role": "admin", "timestamp": "..."}` ## Development vs Production ### Development - Default password: `admin123` - Default JWT secret: `your-secret-key-change-in-production` - **⚠️ Change these in production!** ### Production - Use strong, random passwords - Use secure JWT secret keys - Store secrets in environment variables or Hugging Face Space secrets - Consider implementing password hashing for additional security ## Future Enhancements - User-specific accounts and permissions - Role-based access control - Password hashing with bcrypt - Session management - Audit logging - Two-factor authentication ## Troubleshooting ### Common Issues 1. **"Invalid admin password"** - Check that `ADMIN_PASSWORD` environment variable is set correctly - Ensure no extra spaces or characters 2. **"Token is invalid or expired"** - Token may have expired (24-hour limit) - Try logging in again - Check `JWT_SECRET_KEY` is consistent 3. **"Method Not Allowed"** - Ensure admin router is properly included in main.py - Check API endpoint URLs are correct ### Debug Steps 1. Verify environment variables are loaded 2. Check backend logs for authentication errors 3. Verify JWT token format in browser localStorage 4. Test API endpoints directly with tools like curl or Postman