[WIP] Prototype of a username/password authentication system

[plotfi]

• Adds require_auth and require_admin_auth config flags
• When require_auth is enabled, only registered users can connect and must provide a password
• Admins identified by SSH key hash bypass auth unless require_admin_auth is also set
• Passwords are bcrypt-hashed and stored in user-auth.json
• Prefs are keyed by authenticated username rather than IP-based ID
• Sensitive commands (adduser, removeuser, passwd) are intercepted before room broadcast to prevent password leakage

Full disclosure, I prototyped this using Claude. But I still think its straight forward enough to look at as inspiration for a username/password login system.

[PPTide]

Devzat already has an allowlist which enables similar functionality to this but using ssh keys. Adding password auth would be a major change to how Devzat works.

It also honestly doesn't make any sense to have password auth and passkey auth and setting the server to public (to enable connecting w/o passkey on :443) is the opposite of your intentions.

I would always suggest opening an issue with your idea before spending tokens to see if (AI Generation) of the Idea is even appreciated.

[plotfi]

@PPTide Does the allowlist get hot-reloaded or does it require a restart? Also, does it prevent new users from signing on or does it merely reserve usernames? Sorry to bother if this all should be more obvious.