Move auth server from federation to account

Account is now the OAuth authorization server with magic link login, OAuth2 authorize endpoint, SSO logout, and session management. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:00:20 +00:00
parent 19189e6655
commit 2178607484
33 changed files with 723 additions and 2 deletions
--- a/app.py
+++ b/app.py
@@ -1,12 +1,14 @@
 from __future__ import annotations
 import path_setup  # noqa: F401  # adds shared/ to sys.path
 from pathlib import Path
 from quart import g
 from jinja2 import FileSystemLoader, ChoiceLoader
 from shared.infrastructure.factory import create_base_app
 from shared.services.registry import services
-from bp import register_account_bp
+from bp import register_account_bp, register_auth_bp
 async def account_context() -> dict:
@@ -39,7 +41,15 @@ def create_app() -> "Quart":
        domain_services_fn=register_domain_services,
    )
    # App-specific templates override shared templates
    app_templates = str(Path(__file__).resolve().parent / "templates")
    app.jinja_loader = ChoiceLoader([
        FileSystemLoader(app_templates),
        app.jinja_loader,
    ])
    # --- blueprints ---
    app.register_blueprint(register_auth_bp())
    app.register_blueprint(register_account_bp())
    return app
--- a/blog/init.py
+++ b/blog/init.py
--- a/blog/models/init.py
+++ b/blog/models/init.py
@@ -0,0 +1,14 @@
 from .ghost_content import Post, Author, Tag, PostAuthor, PostTag, PostLike
 from .snippet import Snippet
 from .tag_group import TagGroup, TagGroupTag
 # Shared models — canonical definitions live in shared/models/
 from shared.models.ghost_membership_entities import (
    GhostLabel, UserLabel,
    GhostNewsletter, UserNewsletter,
    GhostTier, GhostSubscription,
 )
 from shared.models.menu_item import MenuItem
 from shared.models.kv import KV
 from shared.models.magic_link import MagicLink
 from shared.models.user import User
--- a/blog/models/ghost_content.py
+++ b/blog/models/ghost_content.py
@@ -0,0 +1,3 @@
 from shared.models.ghost_content import (  # noqa: F401
    Tag, Post, Author, PostAuthor, PostTag, PostLike,
 )
--- a/blog/models/ghost_membership_entities.py
+++ b/blog/models/ghost_membership_entities.py
@@ -0,0 +1,12 @@
 # Re-export from canonical shared location
 from shared.models.ghost_membership_entities import (
    GhostLabel, UserLabel,
    GhostNewsletter, UserNewsletter,
    GhostTier, GhostSubscription,
 )
 __all__ = [
    "GhostLabel", "UserLabel",
    "GhostNewsletter", "UserNewsletter",
    "GhostTier", "GhostSubscription",
 ]
--- a/blog/models/kv.py
+++ b/blog/models/kv.py
@@ -0,0 +1,4 @@
 # Re-export from canonical shared location
 from shared.models.kv import KV
 __all__ = ["KV"]
--- a/blog/models/magic_link.py
+++ b/blog/models/magic_link.py
@@ -0,0 +1,4 @@
 # Re-export from canonical shared location
 from shared.models.magic_link import MagicLink
 __all__ = ["MagicLink"]
--- a/blog/models/menu_item.py
+++ b/blog/models/menu_item.py
@@ -0,0 +1,4 @@
 # Re-export from canonical shared location
 from shared.models.menu_item import MenuItem
 __all__ = ["MenuItem"]
--- a/blog/models/snippet.py
+++ b/blog/models/snippet.py
@@ -0,0 +1,32 @@
 from __future__ import annotations
 from datetime import datetime
 from sqlalchemy import Integer, String, Text, DateTime, ForeignKey, UniqueConstraint, Index, func
 from sqlalchemy.orm import Mapped, mapped_column
 from shared.db.base import Base
 class Snippet(Base):
    __tablename__ = "snippets"
    __table_args__ = (
        UniqueConstraint("user_id", "name", name="uq_snippets_user_name"),
        Index("ix_snippets_visibility", "visibility"),
    )
    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
    user_id: Mapped[int] = mapped_column(
        ForeignKey("users.id", ondelete="CASCADE"), nullable=False,
    )
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    value: Mapped[str] = mapped_column(Text, nullable=False)
    visibility: Mapped[str] = mapped_column(
        String(20), nullable=False, default="private", server_default="private",
    )
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(),
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now(),
    )
--- a/blog/models/tag_group.py
+++ b/blog/models/tag_group.py
@@ -0,0 +1,52 @@
 from datetime import datetime
 from typing import List, Optional
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 from sqlalchemy import (
    Integer,
    String,
    Text,
    DateTime,
    ForeignKey,
    UniqueConstraint,
    func,
 )
 from shared.db.base import Base
 class TagGroup(Base):
    __tablename__ = "tag_groups"
    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
    name: Mapped[str] = mapped_column(String(255), nullable=False)
    slug: Mapped[str] = mapped_column(String(191), unique=True, nullable=False)
    feature_image: Mapped[Optional[str]] = mapped_column(Text())
    colour: Mapped[Optional[str]] = mapped_column(String(32))
    sort_order: Mapped[int] = mapped_column(Integer, default=0, nullable=False)
    created_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now()
    )
    updated_at: Mapped[datetime] = mapped_column(
        DateTime(timezone=True), nullable=False, server_default=func.now(), onupdate=func.now()
    )
    tag_links: Mapped[List["TagGroupTag"]] = relationship(
        "TagGroupTag", back_populates="group", cascade="all, delete-orphan", passive_deletes=True
    )
 class TagGroupTag(Base):
    __tablename__ = "tag_group_tags"
    __table_args__ = (
        UniqueConstraint("tag_group_id", "tag_id", name="uq_tag_group_tag"),
    )
    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
    tag_group_id: Mapped[int] = mapped_column(
        ForeignKey("tag_groups.id", ondelete="CASCADE"), nullable=False
    )
    tag_id: Mapped[int] = mapped_column(
        ForeignKey("tags.id", ondelete="CASCADE"), nullable=False
    )
    group: Mapped["TagGroup"] = relationship("TagGroup", back_populates="tag_links")
--- a/blog/models/user.py
+++ b/blog/models/user.py
@@ -0,0 +1,4 @@
 # Re-export from canonical shared location
 from shared.models.user import User
 __all__ = ["User"]
--- a/bp/init.py
+++ b/bp/init.py
@@ -1 +1,2 @@
 from .account.routes import register as register_account_bp
 from .auth.routes import register as register_auth_bp
--- a/bp/auth/init.py
+++ b/bp/auth/init.py
--- a/bp/auth/routes.py
+++ b/bp/auth/routes.py
@@ -0,0 +1,232 @@
 """Authentication routes for the account app.
 Account is the OAuth authorization server. Owns magic link login/logout,
 OAuth2 authorize endpoint, and SSO logout.
 """
 from __future__ import annotations
 import secrets
 from datetime import datetime, timezone, timedelta
 from quart import (
    Blueprint,
    request,
    render_template,
    redirect,
    url_for,
    session as qsession,
    g,
    current_app,
 )
 from sqlalchemy import select
 from sqlalchemy.exc import SQLAlchemyError
 from shared.db.session import get_session
 from shared.models import User
 from shared.models.oauth_code import OAuthCode
 from shared.infrastructure.urls import account_url, app_url
 from shared.infrastructure.cart_identity import current_cart_identity
 from shared.events import emit_activity
 from .services import (
    pop_login_redirect_target,
    store_login_redirect_target,
    send_magic_email,
    find_or_create_user,
    create_magic_link,
    validate_magic_link,
    validate_email,
 )
 SESSION_USER_KEY = "uid"
 ALLOWED_CLIENTS = {"blog", "market", "cart", "events", "federation"}
 def register(url_prefix="/auth"):
    auth_bp = Blueprint("auth", __name__, url_prefix=url_prefix)
    # --- OAuth2 authorize endpoint -------------------------------------------
    @auth_bp.get("/oauth/authorize")
    @auth_bp.get("/oauth/authorize/")
    async def oauth_authorize():
        client_id = request.args.get("client_id", "")
        redirect_uri = request.args.get("redirect_uri", "")
        state = request.args.get("state", "")
        if client_id not in ALLOWED_CLIENTS:
            return "Invalid client_id", 400
        expected_redirect = app_url(client_id, "/auth/callback")
        if redirect_uri != expected_redirect:
            return "Invalid redirect_uri", 400
        # Not logged in — bounce to magic link login, then back here
        if not g.get("user"):
            # Preserve the full authorize URL so we return here after login
            authorize_path = request.full_path  # includes query string
            store_login_redirect_target()
            return redirect(url_for("auth.login_form", next=authorize_path))
        # Logged in — issue authorization code
        code = secrets.token_urlsafe(48)
        now = datetime.now(timezone.utc)
        expires = now + timedelta(minutes=5)
        async with get_session() as s:
            async with s.begin():
                oauth_code = OAuthCode(
                    code=code,
                    user_id=g.user.id,
                    client_id=client_id,
                    redirect_uri=redirect_uri,
                    expires_at=expires,
                )
                s.add(oauth_code)
        sep = "&" if "?" in redirect_uri else "?"
        return redirect(f"{redirect_uri}{sep}code={code}&state={state}")
    # --- Magic link login flow -----------------------------------------------
    @auth_bp.get("/login/")
    async def login_form():
        store_login_redirect_target()
        cross_cart_sid = request.args.get("cart_sid")
        if cross_cart_sid:
            qsession["cart_sid"] = cross_cart_sid
        if g.get("user"):
            # If there's a pending redirect (e.g. OAuth authorize), follow it
            redirect_url = pop_login_redirect_target()
            return redirect(redirect_url)
        return await render_template("auth/login.html")
    @auth_bp.post("/start/")
    async def start_login():
        form = await request.form
        email_input = form.get("email") or ""
        is_valid, email = validate_email(email_input)
        if not is_valid:
            return (
                await render_template(
                    "auth/login.html",
                    error="Please enter a valid email address.",
                    email=email_input,
                ),
                400,
            )
        user = await find_or_create_user(g.s, email)
        token, expires = await create_magic_link(g.s, user.id)
        from shared.utils import host_url
        magic_url = host_url(url_for("auth.magic", token=token))
        email_error = None
        try:
            await send_magic_email(email, magic_url)
        except Exception as e:
            current_app.logger.error("EMAIL SEND FAILED: %r", e)
            email_error = (
                "We couldn't send the email automatically. "
                "Please try again in a moment."
            )
        return await render_template(
            "auth/check_email.html",
            email=email,
            email_error=email_error,
        )
    @auth_bp.get("/magic/<token>/")
    async def magic(token: str):
        now = datetime.now(timezone.utc)
        user_id: int | None = None
        try:
            async with get_session() as s:
                async with s.begin():
                    user, error = await validate_magic_link(s, token)
                    if error:
                        return (
                            await render_template("auth/login.html", error=error),
                            400,
                        )
                    user_id = user.id
        except Exception:
            return (
                await render_template(
                    "auth/login.html",
                    error="Could not sign you in right now. Please try again.",
                ),
                502,
            )
        assert user_id is not None
        ident = current_cart_identity()
        anon_session_id = ident.get("session_id")
        try:
            async with get_session() as s:
                async with s.begin():
                    u2 = await s.get(User, user_id)
                    if u2:
                        u2.last_login_at = now
                    if anon_session_id:
                        await emit_activity(
                            s,
                            activity_type="rose:Login",
                            actor_uri="internal:system",
                            object_type="Person",
                            object_data={
                                "user_id": user_id,
                                "session_id": anon_session_id,
                            },
                        )
        except SQLAlchemyError:
            current_app.logger.exception(
                "[auth] non-fatal DB update for user_id=%s", user_id
            )
        qsession[SESSION_USER_KEY] = user_id
        redirect_url = pop_login_redirect_target()
        resp = redirect(redirect_url, 303)
        resp.set_cookie(
            "sso_hint", "1",
            domain=".rose-ash.com", max_age=30 * 24 * 3600,
            secure=True, samesite="Lax", httponly=True,
        )
        return resp
    @auth_bp.post("/logout/")
    async def logout():
        qsession.pop(SESSION_USER_KEY, None)
        resp = redirect(account_url("/"))
        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
        return resp
    @auth_bp.get("/clear/")
    async def clear():
        """One-time migration helper: clear all session cookies."""
        qsession.clear()
        resp = redirect(account_url("/"))
        resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
        return resp
    @auth_bp.get("/sso-logout/")
    async def sso_logout():
        """SSO logout: clear account session + sso_hint, redirect to blog."""
        qsession.pop(SESSION_USER_KEY, None)
        from shared.infrastructure.urls import blog_url
        resp = redirect(blog_url("/"))
        resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
        return resp
    return auth_bp
--- a/bp/auth/services/init.py
+++ b/bp/auth/services/init.py
@@ -0,0 +1,24 @@
 from .login_redirect import pop_login_redirect_target, store_login_redirect_target
 from .auth_operations import (
    get_app_host,
    get_app_root,
    send_magic_email,
    load_user_by_id,
    find_or_create_user,
    create_magic_link,
    validate_magic_link,
    validate_email,
 )
 __all__ = [
    "pop_login_redirect_target",
    "store_login_redirect_target",
    "get_app_host",
    "get_app_root",
    "send_magic_email",
    "load_user_by_id",
    "find_or_create_user",
    "create_magic_link",
    "validate_magic_link",
    "validate_email",
 ]
--- a/bp/auth/services/auth_operations.py
+++ b/bp/auth/services/auth_operations.py
@@ -0,0 +1,156 @@
 """Auth operations for the account app.
 Owns magic-link login. Shared models, shared config.
 """
 from __future__ import annotations
 import os
 import secrets
 from datetime import datetime, timedelta, timezone
 from typing import Optional, Tuple
 from quart import current_app, render_template, request, g
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 from shared.models import User, MagicLink
 from shared.config import config
 def get_app_host() -> str:
    host = (
        config().get("host") or os.getenv("APP_HOST") or "http://localhost:8000"
    ).rstrip("/")
    return host
 def get_app_root() -> str:
    root = (g.root).rstrip("/")
    return root
 async def send_magic_email(to_email: str, link_url: str) -> None:
    host = os.getenv("SMTP_HOST")
    port = int(os.getenv("SMTP_PORT") or "587")
    username = os.getenv("SMTP_USER")
    password = os.getenv("SMTP_PASS")
    mail_from = os.getenv("MAIL_FROM") or "no-reply@example.com"
    site_name = config().get("title", "Rose Ash")
    subject = f"Your sign-in link \u2014 {site_name}"
    tpl_vars = dict(site_name=site_name, link_url=link_url)
    text_body = await render_template("_email/magic_link.txt", **tpl_vars)
    html_body = await render_template("_email/magic_link.html", **tpl_vars)
    if not host or not username or not password:
        current_app.logger.warning(
            "SMTP not configured. Printing magic link to console for %s: %s",
            to_email,
            link_url,
        )
        print(f"[DEV] Magic link for {to_email}: {link_url}")
        return
    import aiosmtplib
    from email.message import EmailMessage
    msg = EmailMessage()
    msg["From"] = mail_from
    msg["To"] = to_email
    msg["Subject"] = subject
    msg.set_content(text_body)
    msg.add_alternative(html_body, subtype="html")
    is_secure = port == 465
    if is_secure:
        smtp = aiosmtplib.SMTP(
            hostname=host, port=port, use_tls=True,
            username=username, password=password,
        )
    else:
        smtp = aiosmtplib.SMTP(
            hostname=host, port=port, start_tls=True,
            username=username, password=password,
        )
    async with smtp:
        await smtp.send_message(msg)
 async def load_user_by_id(session: AsyncSession, user_id: int) -> Optional[User]:
    stmt = (
        select(User)
        .options(selectinload(User.labels))
        .where(User.id == user_id)
    )
    result = await session.execute(stmt)
    return result.scalar_one_or_none()
 async def find_or_create_user(session: AsyncSession, email: str) -> User:
    result = await session.execute(select(User).where(User.email == email))
    user = result.scalar_one_or_none()
    if user is None:
        user = User(email=email)
        session.add(user)
        await session.flush()
    return user
 async def create_magic_link(
    session: AsyncSession,
    user_id: int,
    purpose: str = "signin",
    expires_minutes: int = 15,
 ) -> Tuple[str, datetime]:
    token = secrets.token_urlsafe(32)
    expires = datetime.now(timezone.utc) + timedelta(minutes=expires_minutes)
    ml = MagicLink(
        token=token,
        user_id=user_id,
        purpose=purpose,
        expires_at=expires,
        ip=request.headers.get("x-forwarded-for", request.remote_addr),
        user_agent=request.headers.get("user-agent"),
    )
    session.add(ml)
    return token, expires
 async def validate_magic_link(
    session: AsyncSession,
    token: str,
 ) -> Tuple[Optional[User], Optional[str]]:
    now = datetime.now(timezone.utc)
    ml = await session.scalar(
        select(MagicLink)
        .where(MagicLink.token == token)
        .with_for_update()
    )
    if not ml or ml.purpose != "signin":
        return None, "Invalid or expired link."
    if ml.used_at or ml.expires_at < now:
        return None, "This link has expired. Please request a new one."
    user = await session.get(User, ml.user_id)
    if not user:
        return None, "User not found."
    ml.used_at = now
    return user, None
 def validate_email(email: str) -> Tuple[bool, str]:
    email = email.strip().lower()
    if not email or "@" not in email:
        return False, email
    return True, email
--- a/bp/auth/services/login_redirect.py
+++ b/bp/auth/services/login_redirect.py
@@ -0,0 +1,45 @@
 from urllib.parse import urlparse
 from quart import session
 from shared.infrastructure.urls import account_url
 LOGIN_REDIRECT_SESSION_KEY = "login_redirect_to"
 def store_login_redirect_target() -> None:
    from quart import request
    target = request.args.get("next")
    if not target:
        ref = request.referrer or ""
        try:
            parsed = urlparse(ref)
            target = parsed.path or ""
        except Exception:
            target = ""
    if not target:
        return
    # Accept both relative paths and absolute URLs (cross-app redirects)
    if target.startswith("http://") or target.startswith("https://"):
        session[LOGIN_REDIRECT_SESSION_KEY] = target
    elif target.startswith("/") and not target.startswith("//"):
        session[LOGIN_REDIRECT_SESSION_KEY] = target
 def pop_login_redirect_target() -> str:
    path = session.pop(LOGIN_REDIRECT_SESSION_KEY, None)
    if not path or not isinstance(path, str):
        return account_url("/")
    # Absolute URL: return as-is (cross-app redirect)
    if path.startswith("http://") or path.startswith("https://"):
        return path
    # Relative path: must start with / and not //
    if path.startswith("/") and not path.startswith("//"):
        return account_url(path)
    return account_url("/")
--- a/cart/init.py
+++ b/cart/init.py
--- a/cart/models/init.py
+++ b/cart/models/init.py
@@ -0,0 +1,2 @@
 from .order import Order, OrderItem
 from .page_config import PageConfig
--- a/cart/models/order.py
+++ b/cart/models/order.py
@@ -0,0 +1 @@
 from shared.models.order import Order, OrderItem  # noqa: F401
--- a/cart/models/page_config.py
+++ b/cart/models/page_config.py
@@ -0,0 +1 @@
 from shared.models.page_config import PageConfig  # noqa: F401
--- a/events/init.py
+++ b/events/init.py
--- a/events/models/init.py
+++ b/events/models/init.py
@@ -0,0 +1,4 @@
 from .calendars import (
    Calendar, CalendarEntry, CalendarSlot,
    TicketType, Ticket, CalendarEntryPost,
 )
--- a/events/models/calendars.py
+++ b/events/models/calendars.py
@@ -0,0 +1,4 @@
 from shared.models.calendars import (  # noqa: F401
    Calendar, CalendarEntry, CalendarSlot,
    TicketType, Ticket, CalendarEntryPost,
 )
--- a/market/init.py
+++ b/market/init.py
--- a/market/models/init.py
+++ b/market/models/init.py
@@ -0,0 +1,8 @@
 from .market import (
    Product, ProductLike, ProductImage, ProductSection,
    NavTop, NavSub, Listing, ListingItem,
    LinkError, LinkExternal, SubcategoryRedirect, ProductLog,
    ProductLabel, ProductSticker, ProductAttribute, ProductNutrition, ProductAllergen,
    CartItem,
 )
 from .market_place import MarketPlace
--- a/market/models/market.py
+++ b/market/models/market.py
@@ -0,0 +1,7 @@
 from shared.models.market import (  # noqa: F401
    Product, ProductLike, ProductImage, ProductSection,
    NavTop, NavSub, Listing, ListingItem,
    LinkError, LinkExternal, SubcategoryRedirect, ProductLog,
    ProductLabel, ProductSticker, ProductAttribute, ProductNutrition, ProductAllergen,
    CartItem,
 )
--- a/market/models/market_place.py
+++ b/market/models/market_place.py
@@ -0,0 +1 @@
 from shared.models.market_place import MarketPlace  # noqa: F401
--- a/2
+++ b/2
--- a/templates/_email/magic_link.html
+++ b/templates/_email/magic_link.html
@@ -0,0 +1,33 @@
 <!DOCTYPE html>
 <html lang="en">
 <head><meta charset="utf-8"></head>
 <body style="margin:0;padding:0;background:#f5f5f4;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
  <table width="100%" cellpadding="0" cellspacing="0" style="background:#f5f5f4;padding:40px 0;">
    <tr><td align="center">
      <table width="480" cellpadding="0" cellspacing="0" style="background:#ffffff;border-radius:12px;border:1px solid #e7e5e4;padding:40px;">
        <tr><td>
          <h1 style="margin:0 0 8px;font-size:20px;font-weight:600;color:#1c1917;">{{ site_name }}</h1>
          <p style="margin:0 0 24px;font-size:15px;color:#57534e;">Sign in to your account</p>
          <p style="margin:0 0 24px;font-size:15px;line-height:1.5;color:#44403c;">
            Click the button below to sign in. This link will expire in 15&nbsp;minutes.
          </p>
          <table cellpadding="0" cellspacing="0" style="margin:0 0 24px;"><tr><td style="border-radius:8px;background:#1c1917;">
            <a href="{{ link_url }}" target="_blank"
               style="display:inline-block;padding:12px 32px;font-size:15px;font-weight:500;color:#ffffff;text-decoration:none;border-radius:8px;">
              Sign in
            </a>
          </td></tr></table>
          <p style="margin:0 0 8px;font-size:13px;color:#78716c;">Or copy and paste this link into your browser:</p>
          <p style="margin:0 0 24px;font-size:13px;word-break:break-all;">
            <a href="{{ link_url }}" style="color:#1c1917;">{{ link_url }}</a>
          </p>
          <hr style="border:none;border-top:1px solid #e7e5e4;margin:24px 0;">
          <p style="margin:0;font-size:12px;color:#a8a29e;">
            If you did not request this email, you can safely ignore it.
          </p>
        </td></tr>
      </table>
    </td></tr>
  </table>
 </body>
 </html>
--- a/templates/_email/magic_link.txt
+++ b/templates/_email/magic_link.txt
@@ -0,0 +1,8 @@
 Hello,
 Click this link to sign in:
 {{ link_url }}
 This link will expire in 15 minutes.
 If you did not request this, you can ignore this email.
--- a/templates/auth/check_email.html
+++ b/templates/auth/check_email.html
@@ -0,0 +1,19 @@
 {% extends "_types/root/_index.html" %}
 {% block meta %}{% endblock %}
 {% block title %}Check your email — Rose Ash{% endblock %}
 {% block content %}
 <div class="py-8 max-w-md mx-auto text-center">
  <h1 class="text-2xl font-bold mb-4">Check your email</h1>
  <p class="text-stone-600 mb-2">
    We sent a sign-in link to <strong>{{ email }}</strong>.
  </p>
  <p class="text-stone-500 text-sm">
    Click the link in the email to sign in. The link expires in 15 minutes.
  </p>
  {% if email_error %}
    <div class="bg-yellow-50 border border-yellow-200 text-yellow-700 p-3 rounded mt-4">
      {{ email_error }}
    </div>
  {% endif %}
 </div>
 {% endblock %}
--- a/templates/auth/login.html
+++ b/templates/auth/login.html
@@ -0,0 +1,36 @@
 {% extends "_types/root/_index.html" %}
 {% block meta %}{% endblock %}
 {% block title %}Login — Rose Ash{% endblock %}
 {% block content %}
 <div class="py-8 max-w-md mx-auto">
  <h1 class="text-2xl font-bold mb-6">Sign in</h1>
  {% if error %}
    <div class="bg-red-50 border border-red-200 text-red-700 p-3 rounded mb-4">
      {{ error }}
    </div>
  {% endif %}
  <form method="post" action="{{ url_for('auth.start_login') }}" class="space-y-4">
    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
    <div>
      <label for="email" class="block text-sm font-medium mb-1">Email address</label>
      <input
        type="email"
        name="email"
        id="email"
        value="{{ email | default('') }}"
        required
        autofocus
        class="w-full border border-stone-300 rounded px-3 py-2 focus:outline-none focus:ring-2 focus:ring-stone-500"
      >
    </div>
    <button
      type="submit"
      class="w-full bg-stone-800 text-white py-2 px-4 rounded hover:bg-stone-700 transition"
    >
      Send magic link
    </button>
  </form>
 </div>
 {% endblock %}
`@@ -1 +1,2 @@`
	`from .account.routes import register as register_account_bp`	`from .account.routes import register as register_account_bp`
		`from .auth.routes import register as register_auth_bp`
		`@@ -0,0 +1,2 @@`
							`from .order import Order, OrderItem`
							`from .page_config import PageConfig`
		`@@ -0,0 +1 @@`
							`from shared.models.order import Order, OrderItem # noqa: F401`
		`@@ -0,0 +1 @@`
							`from shared.models.page_config import PageConfig # noqa: F401`
		`@@ -0,0 +1 @@`
							`from shared.models.market_place import MarketPlace # noqa: F401`