Add JWT authentication and user profile endpoints with bcrypt password hashing

.gitignore

@@ -0,0 +1,32 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+*.egg-info/
+dist/
+build/
+
+# Virtual Environment
+venv/
+env/
+ENV/
+
+# Database
+*.db
+*.sqlite
+*.sqlite3
+
+# Environment variables
+.env
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db

ARCHITECTURE.md

@@ -0,0 +1,253 @@
+# Authentication Flow Diagrams
+
+## Registration Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant API
+    participant Database
+    participant Bcrypt
+
+    Client->>API: POST /register<br/>{username, password, email, ...}
+    API->>Database: Check if username/email exists
+    alt User exists
+        Database-->>API: User found
+        API-->>Client: 400 Bad Request<br/>"Username or email already registered"
+    else User doesn't exist
+        Database-->>API: No user found
+        API->>Bcrypt: hash_password(password)
+        Bcrypt-->>API: bcrypt_hash
+        API->>Database: INSERT User with bcrypt_hash
+        Database-->>API: User created
+        API-->>Client: 200 OK<br/>"Welcome! Registration successful"
+    end
+```
+
+## Login Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant API
+    participant Database
+    participant Bcrypt
+    participant JWT
+
+    Client->>API: POST /login<br/>username=user&password=pass
+    API->>Database: SELECT User WHERE username=user
+    alt User not found
+        Database-->>API: No user found
+        API-->>Client: 401 Unauthorized<br/>"Incorrect username or password"
+    else User found
+        Database-->>API: User with hashed_password
+        API->>Bcrypt: verify_password(password, hashed_password)
+        alt Password incorrect
+            Bcrypt-->>API: False
+            API-->>Client: 401 Unauthorized<br/>"Incorrect username or password"
+        else Password correct
+            Bcrypt-->>API: True
+            API->>JWT: create_access_token(username, exp=30min)
+            JWT-->>API: JWT token
+            API-->>Client: 200 OK<br/>{access_token, token_type, expires_in}
+        end
+    end
+```
+
+## Profile Access Flow
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant API
+    participant JWT
+    participant Database
+
+    Client->>API: GET /me<br/>Authorization: Bearer <token>
+    API->>JWT: decode(token, SECRET_KEY)
+    alt Invalid/Expired Token
+        JWT-->>API: JWTError
+        API-->>Client: 401 Unauthorized<br/>"Could not validate credentials"
+    else Valid Token
+        JWT-->>API: {sub: username, exp: ...}
+        API->>Database: SELECT User WHERE username=username
+        alt User not found
+            Database-->>API: No user found
+            API-->>Client: 401 Unauthorized<br/>"Could not validate credentials"
+        else User found
+            Database-->>API: User data
+            API-->>Client: 200 OK<br/>{id, username, email, first_name, ...}
+        end
+    end
+```
+
+## Password Verification (with Legacy Support)
+
+```mermaid
+flowchart TD
+    A[verify_password<br/>plain_password, hashed_password] --> B{Try bcrypt verify}
+    B -->|Success| C[Return True]
+    B -->|Exception/Fail| D{Check if starts with 'hashed_'}
+    D -->|Yes| E{Compare: hashed_password == 'hashed_' + plain_password}
+    D -->|No| F[Return False]
+    E -->|Match| G[Return True<br/>Legacy password verified]
+    E -->|No Match| F
+```
+
+## Token Lifecycle
+
+```mermaid
+stateDiagram-v2
+    [*] --> Created: User logs in
+    Created --> Valid: Token issued (exp: now + 30min)
+    Valid --> Expired: After 30 minutes
+    Valid --> Used: Client makes authenticated request
+    Used --> Valid: Token still valid
+    Expired --> [*]: Token rejected
+
+    note right of Valid
+        Token can be used for
+        any protected endpoint
+        until expiration
+    end note
+
+    note right of Expired
+        Client must login again
+        to get new token
+    end note
+```
+
+## Architecture Overview
+
+```mermaid
+graph TB
+    subgraph "Client Applications"
+        A[Web Browser]
+        B[Mobile App]
+        C[API Client]
+    end
+
+    subgraph "FastAPI Application"
+        D[Public Endpoints<br/>/register, /login]
+        E[Protected Endpoints<br/>/me]
+        F[API Key Endpoints<br/>/languages, /docs-source]
+        G[OAuth2PasswordBearer]
+        H[get_current_user]
+    end
+
+    subgraph "Authentication Layer"
+        I[Password Hashing<br/>Bcrypt]
+        J[JWT Creation<br/>python-jose]
+        K[Token Verification]
+    end
+
+    subgraph "Data Layer"
+        L[(SQLite Database<br/>User Table)]
+    end
+
+    A --> D
+    B --> D
+    C --> D
+    A --> E
+    B --> E
+    C --> E
+    A --> F
+    B --> F
+    C --> F
+
+    D --> I
+    D --> J
+    D --> L
+
+    E --> G
+    G --> K
+    K --> H
+    H --> L
+
+    F --> L
+```
+
+## Security Flow
+
+```mermaid
+flowchart LR
+    subgraph "Registration"
+        A[Plain Password] --> B[Bcrypt Hash]
+        B --> C[Store in DB]
+    end
+
+    subgraph "Login"
+        D[Username + Password] --> E[Find User]
+        E --> F[Verify Password]
+        F --> G[Generate JWT]
+        G --> H[Return Token]
+    end
+
+    subgraph "Protected Access"
+        I[Request + Token] --> J[Verify JWT]
+        J --> K[Extract Username]
+        K --> L[Load User]
+        L --> M[Return Data]
+    end
+
+    C -.->|Password never<br/>stored in plain| E
+    H -.->|Token contains<br/>no password| I
+```
+
+## API Endpoints Overview
+
+```mermaid
+graph LR
+    subgraph "Authentication Endpoints"
+        A[POST /register<br/>Public]
+        B[POST /login<br/>Public]
+    end
+
+    subgraph "Protected Endpoints"
+        C[GET /me<br/>Requires JWT]
+    end
+
+    subgraph "API Key Endpoints"
+        D[GET /languages<br/>Requires API Key]
+        E[POST /docs-source<br/>Requires API Key]
+    end
+
+    A -->|Creates| F[(User)]
+    B -->|Validates| F
+    B -->|Returns| G[JWT Token]
+    C -->|Uses| G
+    C -->|Fetches| F
+```
+
+## Error Handling
+
+```mermaid
+flowchart TD
+    A[Request] --> B{Endpoint Type}
+
+    B -->|Public| C{Valid Data?}
+    C -->|No| D[422 Validation Error]
+    C -->|Yes| E{User Exists?}
+    E -->|Yes| F[400 Bad Request]
+    E -->|No| G[200 Success]
+
+    B -->|Protected| H{Token Provided?}
+    H -->|No| I[401 Not Authenticated]
+    H -->|Yes| J{Token Valid?}
+    J -->|No| K[401 Invalid Credentials]
+    J -->|Yes| L{User Found?}
+    L -->|No| K
+    L -->|Yes| M[200 Success]
+
+    B -->|API Key| N{API Key Valid?}
+    N -->|No| O[401 Invalid API Key]
+    N -->|Yes| P[200 Success]
+```
+
+## Notes
+
+- All diagrams represent the current implementation
+- JWT tokens expire after 30 minutes
+- Bcrypt automatically handles salt generation
+- Legacy passwords (hashed_ prefix) are supported but deprecated
+- All endpoints include proper error handling and status codes