manual submit

web/auth.py

@@ -37,12 +37,17 @@ _COOKIE_NAME = "ttb_session"
 def _get_secret() -> str:
     from web.deps import get_config
     cfg = get_config()
-    if cfg and cfg.web_secret_key:
-        return cfg.web_secret_key
-    raise RuntimeError(
-        "WEB_SECRET_KEY must be set in the environment — "
-        "refusing to run with an insecure default."
-    )
+    key = cfg.web_secret_key if cfg else ""
+    if not key:
+        raise RuntimeError(
+            "WEB_SECRET_KEY must be set in the environment — "
+            "refusing to run with an insecure default."
+        )
+    if len(key) < 32:
+        raise RuntimeError(
+            "WEB_SECRET_KEY is too short (got %d chars, need ≥ 32)." % len(key)
+        )
+    return key
 
 
 def create_jwt(label: str, *, admin: bool = False, expire_hours: int = 8) -> str:
@@ -102,6 +107,13 @@ def require_auth(ttb_session: Optional[str] = Cookie(default=None)) -> dict:
     return payload
 
 
+def optional_auth(ttb_session: Optional[str] = Cookie(default=None)) -> Optional[dict]:
+    """Returns decoded JWT payload or None. Never raises 401."""
+    if not ttb_session:
+        return None
+    return decode_jwt(ttb_session)
+
+
 def require_admin(user: dict = Depends(require_auth)) -> dict:
     """
     FastAPI dependency that requires an admin JWT.