feat: implement administrative section with authentication
## Features Implemented
### Authentication System
- Login page at /login.html with Bootstrap 5 UI
- Session-based authentication using SQLite
- bcrypt password hashing via Bun.password API
- CSRF protection for form submissions
- Rate limiting on login attempts (10 req/min)
- 7-day session persistence with HTTP-only cookies
### Admin Routes Protection
- All admin endpoints protected with requireAuth middleware
- requireAdmin middleware for role-based access
- Session validation on each authenticated request
- Expired session cleanup on startup
### API Endpoints
- POST /api/auth/login - user authentication
- POST /api/auth/logout - session termination
- GET /api/auth/me - current user info
- GET /api/csrf-token - CSRF token for forms
- GET /api/admin/stats - admin statistics
### Seed Data
- 12 realistic properties in Tenerife
- 3 testimonials with international clients
- 3 FAQ items about buying process
- 3 services offered
- Admin user: admin@tenerifeprop.com / admin123
### Tests
- Authentication tests (password, session)
- Input validation tests (email, phone, XSS)
- Property CRUD tests
## Files Changed
- src/server/index.ts - CSRF fix, auth endpoints
- public/login.html - New login page
- public/js/api.js - Auth API methods
- public/admin.html - Auth check on load
- src/db/seed-comprehensive.ts - Seed script
- tests/auth.test.ts - Test suite
## Tested
✅ Login page renders correctly
✅ Valid credentials return success
✅ Invalid credentials return error
✅ Session cookie is set
✅ Protected endpoints require authentication
✅ Logout clears session
✅ Auth/me returns 401 after logout
## Access
- URL: http://localhost:3000/login.html
- Email: admin@tenerifeprop.com
- Password: admin123
Closes #28, #29, #30
0d290f29a1