Checkpoint React frontend migration

backend/app/routers/auth.py

@@ -0,0 +1,60 @@
+"""
+Authentication endpoints.
+"""
+
+from typing import Any, Dict
+
+from fastapi import APIRouter, HTTPException, status
+from pydantic import BaseModel
+
+from app.core.auth import issue_access_token
+from app.core.config import get_settings
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+settings = get_settings()
+
+
+class LoginRequest(BaseModel):
+    username: str
+    password: str
+
+
+@router.post(
+    "/admin-login",
+    summary="Admin Login",
+    description="Login for standalone app administration.",
+)
+async def admin_login(request: LoginRequest) -> Dict[str, Any]:
+    """Authenticate an app admin and issue a JWT token."""
+    if not settings.ENABLE_ADMIN:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin functionality is disabled.",
+        )
+
+    if not settings.ADMIN_USERNAME or not settings.ADMIN_PASSWORD:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Admin credentials not configured.",
+        )
+
+    if (
+        request.username != settings.ADMIN_USERNAME
+        or request.password != settings.ADMIN_PASSWORD
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid credentials",
+        )
+
+    token = issue_access_token(
+        website_id=None,
+        role="system_admin",
+        expires_in_seconds=86400 * 7,  # 7 days
+    )
+
+    return {
+        "access_token": token,
+        "token_type": "bearer",
+        "role": "system_admin",
+    }