diff --git a/Dockerfile b/Dockerfile index 37e8237..6f98c9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \ WORKDIR /app COPY backend/requirements.txt . -RUN pip install -r requirements.txt +RUN pip install --upgrade pip && pip install -r requirements.txt COPY backend/ . COPY --from=frontend /fe/dist ./app/static_spa diff --git a/backend/app/auth.py b/backend/app/auth.py index c5b086b..787f2b7 100644 --- a/backend/app/auth.py +++ b/backend/app/auth.py @@ -213,13 +213,14 @@ def current_user(request: Request, db: Session = Depends(get_db)) -> User: @router.get("/upgrade") async def upgrade( - request: Request, access: str = "write", user: User = Depends(current_user) + request: Request, access: str = "read", user: User = Depends(current_user) ): """Incremental consent for the onboarding wizard. `access=read` grants YouTube read-only (enough to build the feed); `access=write` additionally grants management (unsubscribe). The shared callback stores whatever Google returns, so `can_read` / - `can_write` flip on once granted.""" - scope = READ_SCOPES if access == "read" else WRITE_SCOPES + `can_write` flip on once granted. Anything other than an explicit `write` defaults to + the least-privileged read scope.""" + scope = WRITE_SCOPES if access == "write" else READ_SCOPES return await oauth.google.authorize_redirect( request, settings.oauth_redirect_url, diff --git a/backend/requirements.txt b/backend/requirements.txt index 351833b..6ba02a4 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -11,4 +11,4 @@ feedparser>=6.0,<7.0 apscheduler>=3.10,<4.0 py3langid>=0.3,<1.0 itsdangerous>=2.1,<3.0 -cryptography>=42,<46 +cryptography>=46.0.7,<47