added backends, improved templating, rbac

server/app/db/bootstrap.py

@@ -5,9 +5,10 @@ from dataclasses import dataclass
 from sqlalchemy.orm import Session
 
 from app.db.base import Base
-from app.db.models import Role, Tenant, User
+from app.db.models import Role, Tenant, User, UserRoleAssignment
 from app.db.session import engine
 from app.security.api_keys import CreatedApiKey, create_api_key
+from app.security.passwords import hash_password
 
 DEFAULT_SCOPES = [
     "campaign:read",
@@ -62,6 +63,7 @@ def bootstrap_dev_data(
     api_key_secret: str | None = None,
     tenant_slug: str = "default",
     user_email: str = "admin@example.local",
+    user_password: str = "dev-admin",
 ) -> BootstrapResult:
     tenant = session.query(Tenant).filter(Tenant.slug == tenant_slug).one_or_none()
     if tenant is None:
@@ -76,9 +78,23 @@ def bootstrap_dev_data(
 
     user = session.query(User).filter(User.tenant_id == tenant.id, User.email == user_email).one_or_none()
     if user is None:
-        user = User(tenant_id=tenant.id, email=user_email, display_name="Development Admin", is_tenant_admin=True)
+        user = User(tenant_id=tenant.id, email=user_email, display_name="Development Admin", is_tenant_admin=True, password_hash=hash_password(user_password))
         session.add(user)
         session.flush()
+    elif not user.password_hash:
+        user.password_hash = hash_password(user_password)
+        session.add(user)
+
+    # Development owner role assignment for RBAC/session login.
+    owner_role = session.query(Role).filter(Role.tenant_id == tenant.id, Role.slug == "owner").one_or_none()
+    if owner_role is not None:
+        existing_assignment = session.query(UserRoleAssignment).filter(
+            UserRoleAssignment.tenant_id == tenant.id,
+            UserRoleAssignment.user_id == user.id,
+            UserRoleAssignment.role_id == owner_role.id,
+        ).one_or_none()
+        if existing_assignment is None:
+            session.add(UserRoleAssignment(tenant_id=tenant.id, user_id=user.id, role_id=owner_role.id))
 
     created_api_key = None
     if api_key_secret:

server/app/db/models.py

@@ -117,9 +117,13 @@ class User(Base, TimestampMixin):
     display_name: Mapped[str | None] = mapped_column(String(255))
     is_active: Mapped[bool] = mapped_column(Boolean, default=True, nullable=False)
     is_tenant_admin: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
+    auth_provider: Mapped[str] = mapped_column(String(50), default="local", nullable=False)
+    password_hash: Mapped[str | None] = mapped_column(String(500))
+    last_login_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
 
     tenant: Mapped[Tenant] = relationship(back_populates="users")
     api_keys: Mapped[list[ApiKey]] = relationship(back_populates="user", cascade="all, delete-orphan")
+    auth_sessions: Mapped[list[AuthSession]] = relationship(back_populates="user", cascade="all, delete-orphan")
 
 
 class Group(Base, TimestampMixin):
@@ -143,6 +147,38 @@ class Role(Base, TimestampMixin):
     permissions: Mapped[list[str]] = mapped_column(JSON, default=list)
 
 
+
+
+class UserGroupMembership(Base, TimestampMixin):
+    __tablename__ = "user_group_memberships"
+    __table_args__ = (UniqueConstraint("tenant_id", "user_id", "group_id", name="uq_user_group_memberships"),)
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=new_uuid)
+    tenant_id: Mapped[str] = mapped_column(ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False, index=True)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    group_id: Mapped[str] = mapped_column(ForeignKey("groups.id", ondelete="CASCADE"), nullable=False, index=True)
+
+
+class UserRoleAssignment(Base, TimestampMixin):
+    __tablename__ = "user_role_assignments"
+    __table_args__ = (UniqueConstraint("tenant_id", "user_id", "role_id", name="uq_user_role_assignments"),)
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=new_uuid)
+    tenant_id: Mapped[str] = mapped_column(ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False, index=True)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    role_id: Mapped[str] = mapped_column(ForeignKey("roles.id", ondelete="CASCADE"), nullable=False, index=True)
+
+
+class GroupRoleAssignment(Base, TimestampMixin):
+    __tablename__ = "group_role_assignments"
+    __table_args__ = (UniqueConstraint("tenant_id", "group_id", "role_id", name="uq_group_role_assignments"),)
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=new_uuid)
+    tenant_id: Mapped[str] = mapped_column(ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False, index=True)
+    group_id: Mapped[str] = mapped_column(ForeignKey("groups.id", ondelete="CASCADE"), nullable=False, index=True)
+    role_id: Mapped[str] = mapped_column(ForeignKey("roles.id", ondelete="CASCADE"), nullable=False, index=True)
+
+
 class ApiKey(Base, TimestampMixin):
     __tablename__ = "api_keys"
 
@@ -160,6 +196,24 @@ class ApiKey(Base, TimestampMixin):
     user: Mapped[User] = relationship(back_populates="api_keys")
 
 
+
+
+class AuthSession(Base, TimestampMixin):
+    __tablename__ = "auth_sessions"
+
+    id: Mapped[str] = mapped_column(String(36), primary_key=True, default=new_uuid)
+    tenant_id: Mapped[str] = mapped_column(ForeignKey("tenants.id", ondelete="CASCADE"), nullable=False, index=True)
+    user_id: Mapped[str] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    token_hash: Mapped[str] = mapped_column(String(128), nullable=False, unique=True, index=True)
+    expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, index=True)
+    last_seen_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+    revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), index=True)
+    user_agent: Mapped[str | None] = mapped_column(String(500))
+    ip_address: Mapped[str | None] = mapped_column(String(100))
+
+    user: Mapped[User] = relationship(back_populates="auth_sessions")
+
+
 class Campaign(Base, TimestampMixin):
     __tablename__ = "campaigns"
     __table_args__ = (UniqueConstraint("tenant_id", "external_id", name="uq_campaigns_tenant_external_id"),)