Add user management and a settings page

README.md

@@ -11,8 +11,13 @@ A lightweight daemon that listens for UDP heartbeat messages and acts on them: k
 - Queue DNS updates via `nsupdate` and run them in a background thread ✅
 - WebSocket API for live updates (hosts & messages) ✅
 - Notification pipeline (email, Pushover, Mattermost, Signal) ✅
+- **User management & access control** ✅
+  - Optional user accounts with bcrypt-style password hashing (stdlib only)
+  - Per-host roles: owner, manager, monitor
+  - Session-based auth with cookie support (browser login page included)
+  - Backwards compatible: no auth required when no users are configured
 - **HTTP API & Web UI** ✅
-  - REST API for plugin data, alerts, and host information
+  - REST API for plugin data, alerts, host information, and user management
   - Live dashboard with WebSocket updates
   - Interactive plugin metrics visualization
   - Alerts dashboard with filtering and summaries
@@ -266,77 +271,93 @@ See [docs/THRESHOLD_ALERTING.md](docs/THRESHOLD_ALERTING.md) for comprehensive d
 
 ---
 
+## 👥 User Management
+
+Heartbeat supports optional user accounts with role-based access control per host.
+
+### Roles
+
+- **monitor** — view status, plugin data, alerts
+- **manager** — monitor + queue commands, trigger DNS, queue upgrades
+- **owner** — manager + drop host, transfer ownership, update access
+- **admin** (user flag) — owner-level access on every host
+
+When no users are configured the server runs in **unauthenticated mode** — all existing behaviour is unchanged.
+
+### Quick setup
+
+```yaml
+users:
+  alice:
+    full_name: Alice Smith
+    password: pbkdf2:sha256:...    # hbd passwd alice
+    admin: true
+
+default_owner: alice
+
+hosts:
+  webserver01:
+    owner: alice
+    managers: [bob]
+    monitors: [carol]
+```
+
+```bash
+# Generate a password hash
+hbd passwd alice
+```
+
+Browser users are redirected to `/login` automatically. The session cookie is set on login, so `fetch()` calls from dashboards work without any JavaScript changes.
+
+See [docs/USERS.md](docs/USERS.md) for complete user management documentation.
+
+---
+
 ## 🌐 HTTP API & Web UI
 
 Heartbeat includes a built-in HTTP/WebSocket server that provides both a REST API and web-based dashboards for monitoring and visualization.
 
 ### Features
 
-- **REST API**: JSON endpoints for accessing plugin data, alerts, and host information
+- **User auth**: Optional session-based authentication with per-host role enforcement
+- **REST API**: JSON endpoints for accessing plugin data, alerts, host information, and user management
 - **Live Dashboard**: Real-time WebSocket-powered host status view
 - **Plugin Metrics**: Interactive visualization of all plugin data with auto-refresh
 - **Alerts Dashboard**: Comprehensive alert monitoring with filtering and summaries
-- **CORS Support**: Configurable for integration with external applications
 
 ### Web Dashboards
 
-- **Live View** (`/live`): Real-time host connectivity, latency, and messages  
-- **Plugin Metrics** (`/plugins`): Browse and visualize metrics from all plugins  
-- **Alerts Dashboard** (`/alerts`): Monitor active alerts with severity filtering  
+- **Login** (`/login`): Browser login form (shown automatically when auth is configured)
+- **Live View** (`/live`): Real-time host connectivity, latency, and messages
+- **Plugin Metrics** (`/plugins`): Browse and visualize metrics from all plugins
+- **Alerts Dashboard** (`/alerts`): Monitor active alerts with severity filtering
 
 ### API Endpoints
 
 ```bash
+# Log in (when auth is configured)
+TOKEN=$(curl -s -X POST http://localhost:50004/api/0/auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"username":"alice","password":"secret"}' | jq -r .token)
+AUTH="-H \"Authorization: Bearer $TOKEN\""
+
 # List all monitored hosts
-curl http://localhost:50004/api/0/hosts
+curl $AUTH http://localhost:50004/api/0/hosts
 
 # Get all plugin data for a host
-curl http://localhost:50004/api/0/hosts/webserver01/plugins
+curl $AUTH http://localhost:50004/api/0/hosts/webserver01/plugins
 
 # Get detailed plugin history (last 50 samples)
-curl http://localhost:50004/api/0/hosts/webserver01/plugins/cpu_monitor?limit=50
+curl $AUTH "http://localhost:50004/api/0/hosts/webserver01/plugins/cpu_monitor?limit=50"
 
 # Get alert states for a specific host
-curl http://localhost:50004/api/0/hosts/webserver01/alerts
+curl $AUTH http://localhost:50004/api/0/hosts/webserver01/alerts
 
 # Get all active alerts across all hosts
-curl http://localhost:50004/api/0/alerts
-```
+curl $AUTH http://localhost:50004/api/0/alerts
 
-### Integration Examples
-
-**Python Client:**
-```python
-import requests
-
-# Monitor for critical alerts
-response = requests.get('http://localhost:50004/api/0/alerts')
-alerts = response.json()
-
-if alerts['summary']['critical'] > 0:
-    print(f"⚠️ {alerts['summary']['critical']} CRITICAL alerts!")
-    for alert in alerts['alerts']:
-        if alert['level'] == 'CRITICAL':
-            print(f"  {alert['hostname']}: {alert['metric_path']} = {alert['last_value']}")
-```
-
-**Bash Monitoring Script:**
-```bash
-#!/bin/bash
-# Check for critical alerts
-CRITICAL=$(curl -s http://localhost:50004/api/0/alerts | jq '.summary.critical')
-if [ "$CRITICAL" -gt 0 ]; then
-    echo "CRITICAL: $CRITICAL critical alerts detected!"
-    # Send notification
-fi
-```
-
-### Demo & Testing
-
-Run the API demo script to test all endpoints:
-
-```bash
-python3 scripts/demo_http_api.py
+# View/update host access roles
+curl $AUTH http://localhost:50004/api/0/hosts/webserver01/access
 ```
 
 See [docs/HTTP_API.md](docs/HTTP_API.md) for complete API documentation including response formats, error handling, and integration examples.
@@ -452,6 +473,8 @@ Set breakpoints in modules such as `hbd/udp.py`, `hbd/dns.py`, or `hbd/server.py
 - `cert_path`: directory where TLS certificate and key are looked up (default: /usr/local/etc/ssl/)
 - `wss_pem`: filename for the certificate chain (default: fullchain.pem)
 - `wss_key`: filename for the private key (default: privkey.pem)
+- `users`: mapping of username → user attributes (full_name, avatar, password, admin, notification_channels)
+- `default_owner`: username that owns hosts with no explicit owner (falls back to first admin user)
 
 Example `.hb.yaml` (minimal):