Add modular app structure for L2 server

- Create app factory with routers and templates
- Auth, assets, activities, anchors, storage, users, renderers routers
- Federation router for WebFinger and nodeinfo
- Jinja2 templates for L2 pages
- Config and dependency injection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

app/routers/auth.py

@@ -0,0 +1,175 @@
+"""
+Authentication routes for L2 server.
+
+Handles login, registration, and logout.
+"""
+
+import hashlib
+from datetime import datetime, timezone
+
+from fastapi import APIRouter, Request, Form
+from fastapi.responses import HTMLResponse, RedirectResponse
+
+from artdag_common import render
+from artdag_common.middleware import wants_html
+
+from ..config import settings
+from ..dependencies import get_templates, get_user_from_cookie
+
+router = APIRouter()
+
+
+@router.get("/login", response_class=HTMLResponse)
+async def login_page(request: Request, return_to: str = None):
+    """Login page."""
+    username = get_user_from_cookie(request)
+
+    if username:
+        templates = get_templates(request)
+        return render(templates, "auth/already_logged_in.html", request,
+            user={"username": username},
+        )
+
+    templates = get_templates(request)
+    return render(templates, "auth/login.html", request,
+        return_to=return_to,
+    )
+
+
+@router.post("/login", response_class=HTMLResponse)
+async def login_submit(
+    request: Request,
+    username: str = Form(...),
+    password: str = Form(...),
+    return_to: str = Form(None),
+):
+    """Handle login form submission."""
+    from auth import authenticate_user, create_access_token
+
+    if not username or not password:
+        return HTMLResponse(
+            '<div class="text-red-400">Username and password are required</div>'
+        )
+
+    user = await authenticate_user(settings.data_dir, username.strip(), password)
+    if not user:
+        return HTMLResponse(
+            '<div class="text-red-400">Invalid username or password</div>'
+        )
+
+    token = create_access_token(user.username, l2_server=f"https://{settings.domain}")
+
+    # Handle return_to redirect
+    if return_to and return_to.startswith("http"):
+        separator = "&" if "?" in return_to else "?"
+        redirect_url = f"{return_to}{separator}auth_token={token.access_token}"
+        response = HTMLResponse(f'''
+            <div class="text-green-400">Login successful! Redirecting...</div>
+            <script>window.location.href = "{redirect_url}";</script>
+        ''')
+    else:
+        response = HTMLResponse('''
+            <div class="text-green-400">Login successful! Redirecting...</div>
+            <script>window.location.href = "/";</script>
+        ''')
+
+    response.set_cookie(
+        key="auth_token",
+        value=token.access_token,
+        httponly=True,
+        max_age=60 * 60 * 24 * 30,
+        samesite="lax",
+        secure=True,
+    )
+    return response
+
+
+@router.get("/register", response_class=HTMLResponse)
+async def register_page(request: Request):
+    """Registration page."""
+    username = get_user_from_cookie(request)
+
+    if username:
+        templates = get_templates(request)
+        return render(templates, "auth/already_logged_in.html", request,
+            user={"username": username},
+        )
+
+    templates = get_templates(request)
+    return render(templates, "auth/register.html", request)
+
+
+@router.post("/register", response_class=HTMLResponse)
+async def register_submit(
+    request: Request,
+    username: str = Form(...),
+    password: str = Form(...),
+    password2: str = Form(...),
+    email: str = Form(None),
+):
+    """Handle registration form submission."""
+    from auth import create_user, create_access_token
+
+    if not username or not password:
+        return HTMLResponse('<div class="text-red-400">Username and password are required</div>')
+
+    if password != password2:
+        return HTMLResponse('<div class="text-red-400">Passwords do not match</div>')
+
+    if len(password) < 6:
+        return HTMLResponse('<div class="text-red-400">Password must be at least 6 characters</div>')
+
+    try:
+        user = await create_user(settings.data_dir, username.strip(), password, email)
+    except ValueError as e:
+        return HTMLResponse(f'<div class="text-red-400">{str(e)}</div>')
+
+    token = create_access_token(user.username, l2_server=f"https://{settings.domain}")
+
+    response = HTMLResponse('''
+        <div class="text-green-400">Registration successful! Redirecting...</div>
+        <script>window.location.href = "/";</script>
+    ''')
+    response.set_cookie(
+        key="auth_token",
+        value=token.access_token,
+        httponly=True,
+        max_age=60 * 60 * 24 * 30,
+        samesite="lax",
+        secure=True,
+    )
+    return response
+
+
+@router.get("/logout")
+async def logout(request: Request):
+    """Handle logout."""
+    import db
+    import requests
+    from auth import get_token_claims
+
+    token = request.cookies.get("auth_token")
+    claims = get_token_claims(token) if token else None
+    username = claims.get("sub") if claims else None
+
+    if username and token and claims:
+        # Revoke token in database
+        token_hash = hashlib.sha256(token.encode()).hexdigest()
+        expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
+        await db.revoke_token(token_hash, username, expires_at)
+
+        # Revoke on attached L1 servers
+        attached = await db.get_user_renderers(username)
+        for l1_url in attached:
+            try:
+                requests.post(
+                    f"{l1_url}/auth/revoke-user",
+                    json={"username": username, "l2_server": f"https://{settings.domain}"},
+                    timeout=5,
+                )
+            except Exception:
+                pass
+
+    response = RedirectResponse(url="/", status_code=302)
+    response.delete_cookie("auth_token")
+    return response