feat(auth): split base sign-in from YouTube scopes for incremental onboarding

Base login now requests only openid/email/profile (non-sensitive), so a new user
gets a clean Google consent with no "unverified app" warning and no 7-day refresh
token expiry. YouTube read (youtube.readonly) and write (youtube) are granted later
by the onboarding wizard via a parameterized /auth/upgrade?access=read|write.

Security fixes folded in from the baseline audit:
- config: refuse to boot in production (https OAUTH_REDIRECT_URL) with the
  placeholder/short SECRET_KEY or a missing TOKEN_ENCRYPTION_KEY, closing a
  session-forgery / admin-impersonation hole.
- main: mark the session cookie Secure when served over HTTPS.
- me: expose can_read; sync/subscriptions returns a friendly 403 (not a 500)
  until YouTube read access is granted.
This commit is contained in:
npeter83 2026-06-13 23:56:34 +02:00
parent 01ebdee8bc
commit 580d7f0e0d
6 changed files with 81 additions and 17 deletions

View file

@ -2,7 +2,7 @@ from fastapi import APIRouter, Depends
from sqlalchemy import func, select
from sqlalchemy.orm import Session
from app.auth import current_user, has_write_scope
from app.auth import current_user, has_read_scope, has_write_scope
from app.db import get_db
from app.models import Invite, User
@ -29,6 +29,7 @@ def get_me(
"display_name": user.display_name,
"avatar_url": user.avatar_url,
"role": user.role,
"can_read": has_read_scope(user),
"can_write": has_write_scope(user),
"pending_invites": pending_invites,
"preferences": user.preferences or {},