added backends, improved templating, rbac

2026-06-10 14:40:22 +02:00
parent d9ca48addc
commit ce43f2658f
28 changed files with 1183 additions and 78 deletions
--- a/server/alembic/versions/2c3d4e5f6a7b_auth_sessions_and_rbac.py
+++ b/server/alembic/versions/2c3d4e5f6a7b_auth_sessions_and_rbac.py
@@ -0,0 +1,130 @@
+"""auth sessions and RBAC assignments
+
+Revision ID: 2c3d4e5f6a7b
+Revises: 1f8d4c2a0b7e
+Create Date: 2026-06-08 10:00:00.000000
+"""
+from __future__ import annotations
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision = "2c3d4e5f6a7b"
+down_revision = "1f8d4c2a0b7e"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.add_column(sa.Column("auth_provider", sa.String(length=50), nullable=False, server_default="local"))
+        batch_op.add_column(sa.Column("password_hash", sa.String(length=500), nullable=True))
+        batch_op.add_column(sa.Column("last_login_at", sa.DateTime(timezone=True), nullable=True))
+
+    op.create_table(
+        "user_group_memberships",
+        sa.Column("id", sa.String(length=36), nullable=False),
+        sa.Column("tenant_id", sa.String(length=36), nullable=False),
+        sa.Column("user_id", sa.String(length=36), nullable=False),
+        sa.Column("group_id", sa.String(length=36), nullable=False),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(["tenant_id"], ["tenants.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["group_id"], ["groups.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("tenant_id", "user_id", "group_id", name="uq_user_group_memberships"),
+    )
+    op.create_index(op.f("ix_user_group_memberships_tenant_id"), "user_group_memberships", ["tenant_id"])
+    op.create_index(op.f("ix_user_group_memberships_user_id"), "user_group_memberships", ["user_id"])
+    op.create_index(op.f("ix_user_group_memberships_group_id"), "user_group_memberships", ["group_id"])
+
+    op.create_table(
+        "user_role_assignments",
+        sa.Column("id", sa.String(length=36), nullable=False),
+        sa.Column("tenant_id", sa.String(length=36), nullable=False),
+        sa.Column("user_id", sa.String(length=36), nullable=False),
+        sa.Column("role_id", sa.String(length=36), nullable=False),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(["tenant_id"], ["tenants.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["role_id"], ["roles.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("tenant_id", "user_id", "role_id", name="uq_user_role_assignments"),
+    )
+    op.create_index(op.f("ix_user_role_assignments_tenant_id"), "user_role_assignments", ["tenant_id"])
+    op.create_index(op.f("ix_user_role_assignments_user_id"), "user_role_assignments", ["user_id"])
+    op.create_index(op.f("ix_user_role_assignments_role_id"), "user_role_assignments", ["role_id"])
+
+    op.create_table(
+        "group_role_assignments",
+        sa.Column("id", sa.String(length=36), nullable=False),
+        sa.Column("tenant_id", sa.String(length=36), nullable=False),
+        sa.Column("group_id", sa.String(length=36), nullable=False),
+        sa.Column("role_id", sa.String(length=36), nullable=False),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(["tenant_id"], ["tenants.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["group_id"], ["groups.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["role_id"], ["roles.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("tenant_id", "group_id", "role_id", name="uq_group_role_assignments"),
+    )
+    op.create_index(op.f("ix_group_role_assignments_tenant_id"), "group_role_assignments", ["tenant_id"])
+    op.create_index(op.f("ix_group_role_assignments_group_id"), "group_role_assignments", ["group_id"])
+    op.create_index(op.f("ix_group_role_assignments_role_id"), "group_role_assignments", ["role_id"])
+
+    op.create_table(
+        "auth_sessions",
+        sa.Column("id", sa.String(length=36), nullable=False),
+        sa.Column("tenant_id", sa.String(length=36), nullable=False),
+        sa.Column("user_id", sa.String(length=36), nullable=False),
+        sa.Column("token_hash", sa.String(length=128), nullable=False),
+        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("last_seen_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column("user_agent", sa.String(length=500), nullable=True),
+        sa.Column("ip_address", sa.String(length=100), nullable=True),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(["tenant_id"], ["tenants.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
+        sa.PrimaryKeyConstraint("id"),
+        sa.UniqueConstraint("token_hash"),
+    )
+    op.create_index(op.f("ix_auth_sessions_tenant_id"), "auth_sessions", ["tenant_id"])
+    op.create_index(op.f("ix_auth_sessions_user_id"), "auth_sessions", ["user_id"])
+    op.create_index(op.f("ix_auth_sessions_token_hash"), "auth_sessions", ["token_hash"])
+    op.create_index(op.f("ix_auth_sessions_expires_at"), "auth_sessions", ["expires_at"])
+    op.create_index(op.f("ix_auth_sessions_revoked_at"), "auth_sessions", ["revoked_at"])
+
+
+def downgrade() -> None:
+    op.drop_index(op.f("ix_auth_sessions_revoked_at"), table_name="auth_sessions")
+    op.drop_index(op.f("ix_auth_sessions_expires_at"), table_name="auth_sessions")
+    op.drop_index(op.f("ix_auth_sessions_token_hash"), table_name="auth_sessions")
+    op.drop_index(op.f("ix_auth_sessions_user_id"), table_name="auth_sessions")
+    op.drop_index(op.f("ix_auth_sessions_tenant_id"), table_name="auth_sessions")
+    op.drop_table("auth_sessions")
+
+    op.drop_index(op.f("ix_group_role_assignments_role_id"), table_name="group_role_assignments")
+    op.drop_index(op.f("ix_group_role_assignments_group_id"), table_name="group_role_assignments")
+    op.drop_index(op.f("ix_group_role_assignments_tenant_id"), table_name="group_role_assignments")
+    op.drop_table("group_role_assignments")
+
+    op.drop_index(op.f("ix_user_role_assignments_role_id"), table_name="user_role_assignments")
+    op.drop_index(op.f("ix_user_role_assignments_user_id"), table_name="user_role_assignments")
+    op.drop_index(op.f("ix_user_role_assignments_tenant_id"), table_name="user_role_assignments")
+    op.drop_table("user_role_assignments")
+
+    op.drop_index(op.f("ix_user_group_memberships_group_id"), table_name="user_group_memberships")
+    op.drop_index(op.f("ix_user_group_memberships_user_id"), table_name="user_group_memberships")
+    op.drop_index(op.f("ix_user_group_memberships_tenant_id"), table_name="user_group_memberships")
+    op.drop_table("user_group_memberships")
+
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.drop_column("last_login_at")
+        batch_op.drop_column("password_hash")
+        batch_op.drop_column("auth_provider")