siftlode/backend/alembic/versions/0022_password_auth.py
npeter83 8f5e26d2ee feat(auth): email+password registration with two-gate activation (5a backend)
Add email+password auth alongside Google: argon2id hashing; users gains
password_hash/email_verified/is_active and google_sub becomes nullable (migration
0022); a single-use, hashed auth_tokens table for email verification + password
reset. Registration creates a pending (inactive, unverified) account + an access
request; sign-in needs verified email AND admin approval. Anti-enumeration: uniform
register/login/reset responses (a correct-password owner still gets a specific
pending reason). allow_registration flag (DB-tunable). Admin users-list + role
endpoint (guards: not self, not demo, not the last admin); approving access (or a
manual whitelist add) now activates the matching pending account. current_user
rejects deactivated accounts. Verified end-to-end via curl + DB.
2026-06-19 14:03:11 +02:00

63 lines
2.4 KiB
Python

"""email+password auth foundations
Revision ID: 0022_password_auth
Revises: 0021_system_config
Create Date: 2026-06-19
Adds password-auth columns to users (password_hash, email_verified, is_active), makes
google_sub nullable (password-only accounts have no Google sub until they link), and a
single-use auth_tokens table for email verification + password reset. Existing rows are all
Google/demo accounts → backfilled email_verified=true (is_active defaults true).
"""
from typing import Sequence, Union
import sqlalchemy as sa
from alembic import op
revision: str = "0022_password_auth"
down_revision: Union[str, None] = "0021_system_config"
branch_labels: Union[str, Sequence[str], None] = None
depends_on: Union[str, Sequence[str], None] = None
def upgrade() -> None:
op.add_column("users", sa.Column("password_hash", sa.String(length=255), nullable=True))
op.add_column(
"users",
sa.Column("email_verified", sa.Boolean(), nullable=False, server_default="false"),
)
op.add_column(
"users",
sa.Column("is_active", sa.Boolean(), nullable=False, server_default="true"),
)
# Existing accounts are all Google/demo — their email is already proven.
op.execute("UPDATE users SET email_verified = true")
# Password-only accounts have no Google sub until they link one.
op.alter_column("users", "google_sub", existing_type=sa.String(length=64), nullable=True)
op.create_table(
"auth_tokens",
sa.Column("id", sa.Integer(), primary_key=True),
sa.Column(
"user_id",
sa.Integer(),
sa.ForeignKey("users.id", ondelete="CASCADE"),
nullable=False,
index=True,
),
sa.Column("kind", sa.String(length=16), nullable=False),
sa.Column("token_hash", sa.String(length=64), nullable=False, unique=True),
sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
sa.Column("used_at", sa.DateTime(timezone=True), nullable=True),
sa.Column(
"created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False
),
)
def downgrade() -> None:
op.drop_table("auth_tokens")
op.alter_column("users", "google_sub", existing_type=sa.String(length=64), nullable=False)
op.drop_column("users", "is_active")
op.drop_column("users", "email_verified")
op.drop_column("users", "password_hash")