# TODO

## Goal
Remove all authentication from the server and convert `order`/`delay` from path parameters to query parameters.

## Tasks

### 1. Remove authentication from `main.py`
- [x] Remove `HTTPBasic`, `HTTPBasicCredentials`, `Depends` imports (where used for auth)
- [x] Remove `security`, `expected_password`, `get_current_username`, and `set_auth_password` code
- [x] Remove `--password` CLI argument
- [x] Remove `set_auth_password(args.password)` call from `__main__`
- [x] Remove `username: str = Depends(get_current_username)` from all route handlers

### 2. Convert `order`/`delay` to query parameters in `main.py`
- [x] Merge `hash_page` and `hash_page_with_refresh` into a single `/{file_hash}` endpoint that accepts optional query params `order` (str, default None) and `delay` (int, default None)
- [x] Remove the `/{order}/{delay}` redirect route
- [x] Remove the `/{order}/{delay}/{file_hash}` route
- [x] Update `root` endpoint to accept optional `order`/`delay` query params and pass them through in the redirect URL
- [x] Update `_render_page` to generate URLs with query params (`/{hash}?order=next&delay=5`) instead of path segments
- [x] Update the play/pause button URLs to use query param format

### 3. Update `conftest.py`
- [x] Remove `_dummy_auth_header` function and `Authorization` header from `client_dir`/`client_zip` fixtures
- [x] Remove `set_auth_password(None)` calls from `initialized_dir`/`initialized_zip` fixtures
- [x] Remove `password` field from `args_directory`/`args_zip` fixtures (or keep as None if still in argparse)

### 4. Update `test_auth.py`
- [ ] Delete the entire `test_auth.py` file (all auth tests are no longer relevant)

### 5. Update `test_endpoints.py`
- [ ] Update `TestOrderDelayRoute` tests — remove or rewrite for query param routes
- [ ] Update `TestHashPageWithRefresh` tests to use query param URLs (`/{hash}?order=next&delay=5`)
- [ ] Update `TestHashPage` tests if needed (play button URLs changed)

### 6. Update `test_navigation.py`
- [ ] Remove `password=None` from `seeded_indexers` fixture args (if `--password` arg is removed)

### 7. Format and verify
- [ ] Run `uv run black .` to format all code
- [ ] Run `uv run pytest` to verify all tests pass

## Notes
- After removing auth, the `--password` CLI arg is gone entirely
- Query param format: `/{file_hash}?order=next&delay=5`
- The `order` query param accepts `"next"` or `"random"` (validated same as before)
- When `order`/`delay` are absent, behavior is identical to current browse mode