Add Done button, tablet controls, super admin management, midnight strike reset, and activity log improvements

- Done button snaps block to full duration, marks complete, logs "Marked Done by User"; Reset after Done fully un-completes the block
- Session action buttons stretch full-width and double height for tablet tapping
- Super admin: reset password, disable/enable accounts, delete user (with cascade), last active date per user's timezone
- Disabled account login returns specific error message instead of generic invalid credentials
- Users can change own password from Admin → Settings
- Strikes reset automatically at midnight in user's configured timezone (lazy reset on page load)
- Break timer state fully restored when navigating away and back to dashboard
- Timer no longer auto-starts on navigation if it wasn't running before
- Implicit pause guard: no duplicate pause events when switching already-paused blocks or starting a break
- Block selection events removed from activity log; all event types have human-readable labels
- House emoji favicon via inline SVG data URI
- README updated to reflect all changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/routers/auth.py

@@ -1,3 +1,4 @@
+from datetime import datetime
 from fastapi import APIRouter, Depends, HTTPException, Response, Request, status
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
@@ -9,7 +10,7 @@ from app.auth.jwt import (
     hash_password,
     verify_password,
 )
-from app.dependencies import get_db
+from app.dependencies import get_db, get_current_user
 from app.models.user import User
 from app.models.subject import Subject
 from app.schemas.auth import LoginRequest, RegisterRequest, TokenResponse
@@ -58,10 +59,15 @@ async def register(body: RegisterRequest, response: Response, db: AsyncSession =
 
 @router.post("/login", response_model=TokenResponse)
 async def login(body: LoginRequest, response: Response, db: AsyncSession = Depends(get_db)):
-    result = await db.execute(select(User).where(User.email == body.email, User.is_active == True))
+    result = await db.execute(select(User).where(User.email == body.email))
     user = result.scalar_one_or_none()
     if not user or not verify_password(body.password, user.hashed_password):
         raise HTTPException(status_code=401, detail="Invalid credentials")
+    if not user.is_active:
+        raise HTTPException(status_code=403, detail="This account has been disabled. Please contact your administrator.")
+
+    user.last_active_at = datetime.utcnow()
+    await db.commit()
 
     access = create_access_token({"sub": str(user.id)})
     refresh = create_refresh_token({"sub": str(user.id)})
@@ -89,6 +95,9 @@ async def refresh_token(request: Request, response: Response, db: AsyncSession =
     if not user:
         raise HTTPException(status_code=401, detail="User not found")
 
+    user.last_active_at = datetime.utcnow()
+    await db.commit()
+
     access = create_access_token({"sub": str(user.id)})
     new_refresh = create_refresh_token({"sub": str(user.id)})
     response.set_cookie(REFRESH_COOKIE, new_refresh, **COOKIE_OPTS)
@@ -99,3 +108,20 @@ async def refresh_token(request: Request, response: Response, db: AsyncSession =
 async def logout(response: Response):
     response.delete_cookie(REFRESH_COOKIE)
     return {"detail": "Logged out"}
+
+
+@router.post("/change-password")
+async def change_password(
+    body: dict,
+    current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    current = body.get("current_password", "")
+    new = body.get("new_password", "").strip()
+    if not current or not new:
+        raise HTTPException(status_code=400, detail="current_password and new_password are required")
+    if not verify_password(current, current_user.hashed_password):
+        raise HTTPException(status_code=400, detail="Current password is incorrect")
+    current_user.hashed_password = hash_password(new)
+    await db.commit()
+    return {"ok": True}