security: Remove all hardcoded passwords from codebase and documentation

- Require all passwords to be set via environment variables
- Application will not start without required environment variables
- Remove all hardcoded passwords from auth.py, login.html, and SECURITY.md
- Add proper error handling for missing environment variables
- Update login page to only fill username, not password
- Remove development fallback passwords for security compliance
- Update documentation to emphasize security requirements

BREAKING CHANGE: Environment variables AALEKH_PASSWORD, ADMIN_PASSWORD,
ISHITA_PASSWORD, and JEEB_PASSWORD are now required for app startup.

SECURITY.md

@@ -0,0 +1,81 @@
+# TreeTrack Security Configuration
+
+## Environment Variables for Authentication
+
+For security reasons, user passwords should be configured via environment variables instead of being hardcoded. The application supports the following environment variables:
+
+### Required Environment Variables
+
+Set these in your HuggingFace Space settings or deployment environment:
+
+```bash
+# Administrator passwords
+AALEKH_PASSWORD=your_secure_password_here
+ADMIN_PASSWORD=your_secure_admin_password_here
+
+# User passwords  
+ISHITA_PASSWORD=your_secure_password_here
+JEEB_PASSWORD=your_secure_password_here
+```
+
+### Security Requirement
+
+⚠️ **Critical**: All user passwords MUST be configured via environment variables. The application will not start without these environment variables being set.
+
+No default passwords are provided for security reasons.
+
+## How to Set Environment Variables in HuggingFace Spaces
+
+1. Go to your HuggingFace Space settings
+2. Navigate to the "Variables and secrets" section
+3. Add the following environment variables:
+   - `AALEKH_PASSWORD` - Set a strong password for Aalekh (admin)
+   - `ADMIN_PASSWORD` - Set a strong password for admin account
+   - `ISHITA_PASSWORD` - Set a strong password for Ishita
+   - `JEEB_PASSWORD` - Set a strong password for Jeeb
+4. Restart your space to apply the changes
+
+## Password Security Best Practices
+
+- Use strong passwords with at least 12 characters
+- Include uppercase, lowercase, numbers, and special characters
+- Avoid common words or personal information
+- Use unique passwords for each account
+- Consider using a password manager to generate secure passwords
+
+## User Roles and Permissions
+
+- **aalekh** & **admin**: Full administrative access (can edit/delete any tree)
+- **ishita** & **jeeb**: Researcher access (can add trees and edit their own trees)
+
+## Session Security
+
+- Sessions expire after 8 hours of inactivity
+- Automatic cleanup of expired sessions
+- Secure session tokens generated using cryptographically secure random numbers
+- All API endpoints require authentication
+
+## Additional Security Measures
+
+1. **HTTPS**: Always use HTTPS in production
+2. **Rate Limiting**: Consider implementing rate limiting for login attempts
+3. **Audit Logging**: All authentication events are logged
+4. **Password Hashing**: Passwords are hashed using PBKDF2 with 100,000 iterations
+5. **Session Management**: Secure session token generation and validation
+
+## Development vs Production
+
+### Development (Current Setup)
+- Default passwords are used if environment variables are not set
+- Suitable for testing and development environments
+
+### Production Recommendations
+- Always set secure passwords via environment variables
+- Use a proper database for user management
+- Implement additional security features like 2FA
+- Regular security audits and password rotation
+- Use proper logging and monitoring
+
+---
+
+Remember: Security is an ongoing process. Regularly review and update your security practices!

auth.py

@@ -5,6 +5,7 @@ Simple session-based authentication with predefined users
 
 import hashlib
 import secrets
+import os
 from typing import Dict, Optional, Any
 from datetime import datetime, timedelta
 import logging
@@ -16,11 +17,22 @@ class AuthManager:
         self.sessions: Dict[str, Dict[str, Any]] = {}
         self.session_timeout = timedelta(hours=8)  # 8-hour session timeout
         
+        # Get passwords from environment variables (required for security)
+        aalekh_password = os.getenv('AALEKH_PASSWORD')
+        admin_password = os.getenv('ADMIN_PASSWORD')
+        ishita_password = os.getenv('ISHITA_PASSWORD')
+        jeeb_password = os.getenv('JEEB_PASSWORD')
+        
+        # Check if all required passwords are set
+        if not all([aalekh_password, admin_password, ishita_password, jeeb_password]):
+            logger.error("Missing required password environment variables. Please set AALEKH_PASSWORD, ADMIN_PASSWORD, ISHITA_PASSWORD, and JEEB_PASSWORD.")
+            raise ValueError("Authentication passwords must be configured via environment variables")
+        
         # Predefined user accounts (in production, use a database)
         self.users = {
             # Administrator account
             "aalekh": {
-                "password_hash": self._hash_password("aalekh@maptrees"),
+                "password_hash": self._hash_password(aalekh_password),
                 "role": "admin",
                 "full_name": "Aalekh",
                 "permissions": ["read", "write", "delete", "admin"]
@@ -28,7 +40,7 @@ class AuthManager:
             
             # System account (for admin use)
             "admin": {
-                "password_hash": self._hash_password("admin@maptrees"),
+                "password_hash": self._hash_password(admin_password),
                 "role": "admin", 
                 "full_name": "System Administrator",
                 "permissions": ["read", "write", "delete", "admin"]
@@ -36,14 +48,14 @@ class AuthManager:
             
             # User accounts
             "ishita": {
-                "password_hash": self._hash_password("ishita@maptrees"),
+                "password_hash": self._hash_password(ishita_password),
                 "role": "researcher",
                 "full_name": "Ishita", 
                 "permissions": ["read", "write", "edit_own"]
             },
             
             "jeeb": {
-                "password_hash": self._hash_password("jeeb@maptrees"),
+                "password_hash": self._hash_password(jeeb_password),
                 "role": "researcher",
                 "full_name": "Jeeb",
                 "permissions": ["read", "write", "edit_own"]

static/login.html

@@ -272,23 +272,26 @@
         <div class="demo-accounts">
             <div class="demo-title">🔐 Available Accounts</div>
             <div class="account-list">
-                <div class="account-item" onclick="fillCredentials('aalekh', 'aalekh@maptrees')">
+                <div class="account-item" onclick="fillCredentials('aalekh')">
                     <div class="account-role">Aalekh (Admin)</div>
                     <div class="account-username">Full system access</div>
                 </div>
-                <div class="account-item" onclick="fillCredentials('admin', 'admin@maptrees')">
+                <div class="account-item" onclick="fillCredentials('admin')">
                     <div class="account-role">System Admin</div>
                     <div class="account-username">Administrative access</div>
                 </div>
-                <div class="account-item" onclick="fillCredentials('ishita', 'ishita@maptrees')">
+                <div class="account-item" onclick="fillCredentials('ishita')">
                     <div class="account-role">Ishita</div>
                     <div class="account-username">Tree research & documentation</div>
                 </div>
-                <div class="account-item" onclick="fillCredentials('jeeb', 'jeeb@maptrees')">
+                <div class="account-item" onclick="fillCredentials('jeeb')">
                     <div class="account-role">Jeeb</div>
                     <div class="account-username">Tree research & documentation</div>
                 </div>
             </div>
+            <div style="margin-top: 1rem; padding: 0.75rem; background: rgba(255, 193, 7, 0.1); border: 1px solid rgba(255, 193, 7, 0.3); border-radius: 8px; font-size: 0.75rem; color: #856404;">
+                ℹ️ <strong>Note:</strong> Contact your administrator for login credentials. Default passwords are only for development/testing.
+            </div>
         </div>
 
         <div class="footer">
@@ -297,9 +300,10 @@
     </div>
 
     <script>
-        function fillCredentials(username, password) {
+        function fillCredentials(username) {
             document.getElementById('username').value = username;
-            document.getElementById('password').value = password;
+            document.getElementById('password').value = '';
+            document.getElementById('password').focus();
             
             // Add visual feedback
             const accountItems = document.querySelectorAll('.account-item');
@@ -400,11 +404,11 @@
             }
         });
 
-        // Auto-fill demo credentials on page load for development
+        // Auto-fill demo username on page load for development
         document.addEventListener('DOMContentLoaded', () => {
-            // Auto-select ishita account for easy testing
+            // Auto-select ishita account for easy testing (password still needs to be entered)
             setTimeout(() => {
-                fillCredentials('ishita', 'ishita@maptrees');
+                fillCredentials('ishita');
             }, 1000);
         });
     </script>