auth email/password

app/models/__init__.py

@@ -0,0 +1,6 @@
+"""Database models."""
+
+from .user import User
+from .user_oauth import UserOAuth
+
+__all__ = ["User", "UserOAuth"]

app/models/user.py

@@ -0,0 +1,240 @@
+"""User model for authentication."""
+
+import secrets
+from datetime import datetime
+from typing import Optional, TYPE_CHECKING
+
+from werkzeug.security import check_password_hash, generate_password_hash
+from sqlalchemy import String, DateTime
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from app.database import db
+
+if TYPE_CHECKING:
+    from app.models.user_oauth import UserOAuth
+
+
+class User(db.Model):
+    """User model for storing user information."""
+    
+    __tablename__ = "users"
+    
+    id: Mapped[int] = mapped_column(primary_key=True)
+    
+    # Primary user information (can be updated from any connected provider)
+    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+    picture: Mapped[Optional[str]] = mapped_column(String(500), nullable=True)
+    
+    # Password authentication (optional - users can use OAuth instead)
+    password_hash: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    
+    # Role-based access control
+    role: Mapped[str] = mapped_column(String(50), nullable=False, default="user")
+    
+    # User status
+    is_active: Mapped[bool] = mapped_column(nullable=False, default=True)
+    
+    # API token for programmatic access
+    api_token: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+    api_token_expires_at: Mapped[Optional[datetime]] = mapped_column(DateTime, nullable=True)
+    
+    # Timestamps
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime, default=datetime.utcnow, nullable=False
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False
+    )
+    
+    # Relationships
+    oauth_providers: Mapped[list["UserOAuth"]] = relationship(
+        "UserOAuth", back_populates="user", cascade="all, delete-orphan"
+    )
+    
+    def __repr__(self) -> str:
+        """String representation of User."""
+        provider_count = len(self.oauth_providers)
+        return f"<User {self.email} ({provider_count} providers)>"
+    
+    def to_dict(self) -> dict:
+        """Convert user to dictionary."""
+        return {
+            "id": str(self.id),
+            "email": self.email,
+            "name": self.name,
+            "picture": self.picture,
+            "role": self.role,
+            "is_active": self.is_active,
+            "api_token": self.api_token,
+            "api_token_expires_at": self.api_token_expires_at.isoformat() if self.api_token_expires_at else None,
+            "providers": [provider.provider for provider in self.oauth_providers],
+            "created_at": self.created_at.isoformat(),
+            "updated_at": self.updated_at.isoformat(),
+        }
+    
+    def get_provider(self, provider_name: str) -> Optional["UserOAuth"]:
+        """Get specific OAuth provider for this user."""
+        for provider in self.oauth_providers:
+            if provider.provider == provider_name:
+                return provider
+        return None
+    
+    def has_provider(self, provider_name: str) -> bool:
+        """Check if user has specific OAuth provider connected."""
+        return self.get_provider(provider_name) is not None
+    
+    def update_from_provider(self, provider_data: dict) -> None:
+        """Update user info from provider data (email, name, picture)."""
+        self.email = provider_data.get("email", self.email)
+        self.name = provider_data.get("name", self.name)
+        self.picture = provider_data.get("picture", self.picture)
+        self.updated_at = datetime.utcnow()
+        db.session.commit()
+    
+    def set_password(self, password: str) -> None:
+        """Hash and set user password."""
+        self.password_hash = generate_password_hash(password)
+        self.updated_at = datetime.utcnow()
+    
+    def check_password(self, password: str) -> bool:
+        """Check if provided password matches user's password."""
+        if not self.password_hash:
+            return False
+        return check_password_hash(self.password_hash, password)
+    
+    def has_password(self) -> bool:
+        """Check if user has a password set."""
+        return self.password_hash is not None
+    
+    def generate_api_token(self) -> str:
+        """Generate a new API token for the user."""
+        self.api_token = secrets.token_urlsafe(32)
+        self.api_token_expires_at = None  # No expiration by default
+        self.updated_at = datetime.utcnow()
+        return self.api_token
+    
+    def is_api_token_valid(self) -> bool:
+        """Check if the user's API token is valid (exists and not expired)."""
+        if not self.api_token:
+            return False
+        
+        if self.api_token_expires_at is None:
+            return True  # No expiration
+        
+        return datetime.utcnow() < self.api_token_expires_at
+    
+    def revoke_api_token(self) -> None:
+        """Revoke the user's API token."""
+        self.api_token = None
+        self.api_token_expires_at = None
+        self.updated_at = datetime.utcnow()
+    
+    def activate(self) -> None:
+        """Activate the user account."""
+        self.is_active = True
+        self.updated_at = datetime.utcnow()
+    
+    def deactivate(self) -> None:
+        """Deactivate the user account."""
+        self.is_active = False
+        self.updated_at = datetime.utcnow()
+    
+    @classmethod
+    def find_by_email(cls, email: str) -> Optional["User"]:
+        """Find user by email address."""
+        return cls.query.filter_by(email=email).first()
+    
+    @classmethod
+    def find_by_api_token(cls, api_token: str) -> Optional["User"]:
+        """Find user by API token if token is valid."""
+        user = cls.query.filter_by(api_token=api_token).first()
+        if user and user.is_api_token_valid():
+            return user
+        return None
+    
+    @classmethod
+    def find_or_create_from_oauth(
+        cls, provider: str, provider_id: str, email: str, name: str, picture: Optional[str] = None
+    ) -> tuple["User", "UserOAuth"]:
+        """Find existing user or create new one from OAuth data."""
+        from app.models.user_oauth import UserOAuth
+        
+        # First, try to find existing OAuth provider
+        oauth_provider = UserOAuth.find_by_provider_and_id(provider, provider_id)
+        
+        if oauth_provider:
+            # Update existing provider and user info
+            user = oauth_provider.user
+            oauth_provider.email = email
+            oauth_provider.name = name
+            oauth_provider.picture = picture
+            oauth_provider.updated_at = datetime.utcnow()
+            
+            # Update user info with latest data
+            user.update_from_provider({"email": email, "name": name, "picture": picture})
+        else:
+            # Try to find user by email to link the new provider
+            user = cls.find_by_email(email)
+            
+            if not user:
+                # Check if this is the first user (admin)
+                user_count = cls.query.count()
+                role = "admin" if user_count == 0 else "user"
+                
+                # Create new user
+                user = cls(
+                    email=email,
+                    name=name,
+                    picture=picture,
+                    role=role,
+                )
+                user.generate_api_token()  # Generate API token on creation
+                db.session.add(user)
+                db.session.flush()  # Flush to get user.id
+            
+            # Create new OAuth provider
+            oauth_provider = UserOAuth.create_or_update(
+                user_id=user.id,
+                provider=provider,
+                provider_id=provider_id,
+                email=email,
+                name=name,
+                picture=picture,
+            )
+        
+        db.session.commit()
+        return user, oauth_provider
+    
+    @classmethod
+    def create_with_password(cls, email: str, password: str, name: str) -> "User":
+        """Create new user with email and password."""
+        # Check if user already exists
+        existing_user = cls.find_by_email(email)
+        if existing_user:
+            raise ValueError("User with this email already exists")
+        
+        # Check if this is the first user (admin)
+        user_count = cls.query.count()
+        role = "admin" if user_count == 0 else "user"
+        
+        # Create new user
+        user = cls(
+            email=email,
+            name=name,
+            role=role,
+        )
+        user.set_password(password)
+        user.generate_api_token()  # Generate API token on creation
+        
+        db.session.add(user)
+        db.session.commit()
+        return user
+    
+    @classmethod
+    def authenticate_with_password(cls, email: str, password: str) -> Optional["User"]:
+        """Authenticate user with email and password."""
+        user = cls.find_by_email(email)
+        if user and user.check_password(password) and user.is_active:
+            return user
+        return None

app/models/user_oauth.py

@@ -0,0 +1,105 @@
+"""User OAuth model for storing user's connected providers."""
+
+from datetime import datetime
+from typing import Optional, TYPE_CHECKING
+
+from sqlalchemy import String, DateTime, Text, ForeignKey
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from app.database import db
+
+if TYPE_CHECKING:
+    from app.models.user import User
+
+
+class UserOAuth(db.Model):
+    """Model for storing user's connected OAuth providers."""
+    
+    __tablename__ = "user_oauth"
+    
+    id: Mapped[int] = mapped_column(primary_key=True)
+    
+    # User relationship
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id"), nullable=False)
+    
+    # OAuth provider information
+    provider: Mapped[str] = mapped_column(String(50), nullable=False)
+    provider_id: Mapped[str] = mapped_column(String(255), nullable=False)
+    
+    # Provider-specific user information
+    email: Mapped[str] = mapped_column(String(255), nullable=False)
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+    picture: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
+    
+    # Timestamps
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime, default=datetime.utcnow, nullable=False
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False
+    )
+    
+    # Unique constraint on provider + provider_id combination
+    __table_args__ = (
+        db.UniqueConstraint("provider", "provider_id", name="unique_provider_user"),
+    )
+    
+    # Relationships
+    user: Mapped["User"] = relationship("User", back_populates="oauth_providers")
+    
+    def __repr__(self) -> str:
+        """String representation of UserOAuth."""
+        return f"<UserOAuth {self.email} ({self.provider})>"
+    
+    def to_dict(self) -> dict:
+        """Convert oauth provider to dictionary."""
+        return {
+            "id": self.id,
+            "provider": self.provider,
+            "provider_id": self.provider_id,
+            "email": self.email,
+            "name": self.name,
+            "picture": self.picture,
+            "created_at": self.created_at.isoformat(),
+            "updated_at": self.updated_at.isoformat(),
+        }
+    
+    @classmethod
+    def find_by_provider_and_id(cls, provider: str, provider_id: str) -> Optional["UserOAuth"]:
+        """Find OAuth provider by provider name and provider ID."""
+        return cls.query.filter_by(provider=provider, provider_id=provider_id).first()
+    
+    @classmethod
+    def create_or_update(
+        cls, 
+        user_id: int, 
+        provider: str, 
+        provider_id: str, 
+        email: str, 
+        name: str, 
+        picture: Optional[str] = None
+    ) -> "UserOAuth":
+        """Create new OAuth provider or update existing one."""
+        oauth_provider = cls.find_by_provider_and_id(provider, provider_id)
+        
+        if oauth_provider:
+            # Update existing provider
+            oauth_provider.user_id = user_id
+            oauth_provider.email = email
+            oauth_provider.name = name
+            oauth_provider.picture = picture
+            oauth_provider.updated_at = datetime.utcnow()
+        else:
+            # Create new provider
+            oauth_provider = cls(
+                user_id=user_id,
+                provider=provider,
+                provider_id=provider_id,
+                email=email,
+                name=name,
+                picture=picture,
+            )
+            db.session.add(oauth_provider)
+        
+        db.session.commit()
+        return oauth_provider