Add session-based authentication

Implement secure authentication using scs session manager with SQLite
backing store and bcrypt password hashing.

- Add users and sessions tables (migration 004)
- Create internal/auth package with Service, Middleware, and Handlers
- Protect all routes except /login, /logout, /static/*
- Add login page template and logout button to dashboard
- Default credentials: admin/changeme (configurable via env vars)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2 files changed, 63 insertions, 0 deletions

diff --git a/web/templates/index.html b/web/templates/index.html
index b341c17..54bb0c6 100644
--- a/web/templates/index.html
+++ b/web/templates/index.html
@@ -19,6 +19,12 @@
                         class="bg-primary-600 hover:bg-primary-700 text-white px-4 py-2 rounded-lg transition-colors font-medium no-print">
                     <span id="refresh-text">Refresh</span>
                 </button>
+                <form method="POST" action="/logout" class="no-print">
+                    <button type="submit"
+                            class="text-gray-600 hover:text-gray-900 px-3 py-2 rounded-lg transition-colors font-medium">
+                        Logout
+                    </button>
+                </form>
             </div>
         </header>
 
diff --git a/web/templates/login.html b/web/templates/login.html
new file mode 100644
index 0000000..e5ce9e4
--- /dev/null
+++ b/web/templates/login.html
@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Login - Personal Dashboard</title>
+    <link rel="stylesheet" href="/static/css/output.css">
+</head>
+<body class="min-h-screen flex items-center justify-center bg-gray-50">
+    <div class="w-full max-w-md p-8">
+        <div class="bg-white rounded-xl shadow-lg p-8">
+            <h1 class="text-2xl font-bold text-gray-900 text-center mb-8">Personal Dashboard</h1>
+
+            {{if .Error}}
+            <div class="mb-6 p-4 bg-red-50 border border-red-200 rounded-lg text-red-700 text-sm">
+                {{.Error}}
+            </div>
+            {{end}}
+
+            <form method="POST" action="/login" class="space-y-6">
+                <div>
+                    <label for="username" class="block text-sm font-medium text-gray-700 mb-2">
+                        Username
+                    </label>
+                    <input
+                        type="text"
+                        id="username"
+                        name="username"
+                        required
+                        autofocus
+                        class="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-primary-500 focus:border-primary-500 transition-colors"
+                        placeholder="Enter your username">
+                </div>
+
+                <div>
+                    <label for="password" class="block text-sm font-medium text-gray-700 mb-2">
+                        Password
+                    </label>
+                    <input
+                        type="password"
+                        id="password"
+                        name="password"
+                        required
+                        class="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-primary-500 focus:border-primary-500 transition-colors"
+                        placeholder="Enter your password">
+                </div>
+
+                <button
+                    type="submit"
+                    class="w-full bg-primary-600 hover:bg-primary-700 text-white font-medium py-3 px-4 rounded-lg transition-colors">
+                    Sign In
+                </button>
+            </form>
+        </div>
+    </div>
+</body>
+</html>