Add email+password auth alongside Google: argon2id hashing; users gains password_hash/email_verified/is_active and google_sub becomes nullable (migration 0022); a single-use, hashed auth_tokens table for email verification + password reset. Registration creates a pending (inactive, unverified) account + an access request; sign-in needs verified email AND admin approval. Anti-enumeration: uniform register/login/reset responses (a correct-password owner still gets a specific pending reason). allow_registration flag (DB-tunable). Admin users-list + role endpoint (guards: not self, not demo, not the last admin); approving access (or a manual whitelist add) now activates the matching pending account. current_user rejects deactivated accounts. Verified end-to-end via curl + DB.
15 lines
331 B
Text
15 lines
331 B
Text
fastapi>=0.115,<1.0
|
|
uvicorn[standard]>=0.30,<1.0
|
|
sqlalchemy>=2.0,<2.1
|
|
psycopg[binary]>=3.2,<4.0
|
|
alembic>=1.13,<2.0
|
|
pydantic>=2.7,<3.0
|
|
pydantic-settings>=2.3,<3.0
|
|
authlib>=1.3,<2.0
|
|
httpx>=0.27,<1.0
|
|
feedparser>=6.0,<7.0
|
|
apscheduler>=3.10,<4.0
|
|
py3langid>=0.3,<1.0
|
|
itsdangerous>=2.1,<3.0
|
|
cryptography>=46.0.7,<47
|
|
argon2-cffi>=23.1,<26
|