siftlode/backend/app
npeter83 4765db89de feat(auth): split base sign-in from YouTube scopes for incremental onboarding
Base login now requests only openid/email/profile (non-sensitive), so a new user
gets a clean Google consent with no "unverified app" warning and no 7-day refresh
token expiry. YouTube read (youtube.readonly) and write (youtube) are granted later
by the onboarding wizard via a parameterized /auth/upgrade?access=read|write.

Security fixes folded in from the baseline audit:
- config: refuse to boot in production (https OAUTH_REDIRECT_URL) with the
  placeholder/short SECRET_KEY or a missing TOKEN_ENCRYPTION_KEY, closing a
  session-forgery / admin-impersonation hole.
- main: mark the session cookie Secure when served over HTTPS.
- me: expose can_read; sync/subscriptions returns a friendly 403 (not a 500)
  until YouTube read access is granted.
2026-06-13 23:56:34 +02:00
..
routes feat(auth): split base sign-in from YouTube scopes for incremental onboarding 2026-06-13 23:56:34 +02:00
static fix: default app UI language to English (login page) 2026-06-11 01:03:36 +02:00
sync fix(backfill): don't skip the tail of the recent/deep boundary page 2026-06-12 00:15:20 +02:00
youtube feat(m5b): optional YouTube write scope via incremental OAuth 2026-06-11 23:27:11 +02:00
__init__.py feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
auth.py feat(auth): split base sign-in from YouTube scopes for incremental onboarding 2026-06-13 23:56:34 +02:00
config.py feat(auth): split base sign-in from YouTube scopes for incremental onboarding 2026-06-13 23:56:34 +02:00
db.py feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
email.py fix(email): warmer onboarding copy + Reply-To/Date headers 2026-06-12 02:05:18 +02:00
main.py feat(auth): split base sign-in from YouTube scopes for incremental onboarding 2026-06-13 23:56:34 +02:00
models.py feat(stats): per-user API quota attribution + admin usage page 2026-06-12 02:47:55 +02:00
quota.py feat(stats): per-user API quota attribution + admin usage page 2026-06-12 02:47:55 +02:00
scheduler.py feat(stats): per-user API quota attribution + admin usage page 2026-06-12 02:47:55 +02:00
security.py feat: M1 foundation — compose stack, FastAPI, Google OAuth, encrypted tokens 2026-06-11 01:01:37 +02:00
state.py chore: structured timestamped logging across the backend 2026-06-11 04:26:18 +02:00