feat(auth): account lifecycle — Google linking, passwords, suspension & deletion plumbing

- Link a Google account to a password account, and adopt the Google identity onto a matching
  email account instead of 500ing on a duplicate; set or change a password from Settings.
- Expose has_google/has_password on /api/me for the Sign-in methods UI.
- Mark Google logins email-verified (backfill existing rows, migration 0024); stop a routine
  login from clobbering an admin-assigned role (env ADMIN_EMAILS stays the bootstrap admin).
- Suspension login-gates (password + Google callback + current_user) with a rate-limited
  'suspended' notice; shared purge_user (cascade delete + access-request cleanup + Google-grant
  revoke) behind self- and admin-deletion; single app_base source for user-facing email links.
This commit is contained in:
npeter83 2026-06-19 19:52:02 +02:00
parent c0dde06920
commit 2aa13a6433
9 changed files with 507 additions and 43 deletions

View file

@ -0,0 +1,31 @@
"""backfill email_verified for Google accounts
Revision ID: 0024_google_email_verified
Revises: 0023_user_suspension
Create Date: 2026-06-19
A Google sign-in proves the email, but earlier Google signups were created with
email_verified=false (the callback didn't set it). Backfill those so the flag reflects reality —
matters because password-login gates on email_verified, so a Google user who later adds a password
must count as verified. Demo/password-only rows (google_sub IS NULL) are left untouched.
"""
from typing import Sequence, Union
from alembic import op
revision: str = "0024_google_email_verified"
down_revision: Union[str, None] = "0023_user_suspension"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
op.execute(
"UPDATE users SET email_verified = true "
"WHERE google_sub IS NOT NULL AND email_verified = false"
)
def downgrade() -> None:
# Not reversible — we can't tell which rows were flipped. No-op.
pass