Add auth foundation: sessions/tokens schema, Argon2 hashing, config

Two tables (sessions, user_tokens) + migration; only token *hashes* are stored, so a DB leak yields no usable credential. Argon2id password hashing and token primitives in app/core/security. Config and .env.example gain session/cookie/token TTLs, app base URL, and SMTP settings (twelve-factor). Migration verified reversible (drops the token_purpose enum) and matches the models.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
2026-06-06 10:51:51 -04:00
parent e5a8713293
commit 5123c85397
9 changed files with 278 additions and 0 deletions
+16
View File
@@ -27,6 +27,22 @@ class Settings(BaseSettings):
default="postgresql+asyncpg://provenance:provenance@localhost:5432/provenance",
)
# --- Auth / sessions ---
session_ttl_days: int = 30
token_ttl_hours: int = 24 # email-verify / password-reset token lifetime
cookie_name: str = "provenance_session"
cookie_secure: bool = True # set false for local http; true behind TLS
# Base URL used to build links in outbound email.
app_base_url: str = "http://localhost"
# --- Email (SMTP) ---
mailer: str = Field(default="console", description="console | smtp")
smtp_host: str | None = None
smtp_port: int = 587
smtp_username: str | None = None
smtp_password: str | None = None
smtp_from: str = "Provenance <no-reply@provenance.local>"
@lru_cache
def get_settings() -> Settings:
+35
View File
@@ -0,0 +1,35 @@
"""Password hashing and token primitives.
Passwords use Argon2id (argon2-cffi). Session and email tokens are random
high-entropy strings; only their SHA-256 hash is stored, so a database leak
never exposes a usable credential.
"""
import hashlib
import secrets
from argon2 import PasswordHasher
from argon2.exceptions import Argon2Error
_hasher = PasswordHasher()
def hash_password(password: str) -> str:
return _hasher.hash(password)
def verify_password(password_hash: str, password: str) -> bool:
try:
return _hasher.verify(password_hash, password)
except (Argon2Error, ValueError):
return False
def generate_token() -> str:
"""A URL-safe, high-entropy token (the raw secret handed to the client)."""
return secrets.token_urlsafe(32)
def hash_token(token: str) -> str:
"""SHA-256 of a token — what we store and look up by."""
return hashlib.sha256(token.encode("utf-8")).hexdigest()