5123c85397
Two tables (sessions, user_tokens) + migration; only token *hashes* are stored, so a DB leak yields no usable credential. Argon2id password hashing and token primitives in app/core/security. Config and .env.example gain session/cookie/token TTLs, app base URL, and SMTP settings (twelve-factor). Migration verified reversible (drops the token_purpose enum) and matches the models. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
63 lines
2.9 KiB
Python
63 lines
2.9 KiB
Python
"""auth sessions and tokens
|
|
|
|
Revision ID: 1f6e54f6406a
|
|
Revises: ec43c338e155
|
|
Create Date: 2026-06-06 10:47:06.454748
|
|
|
|
"""
|
|
from collections.abc import Sequence
|
|
|
|
from alembic import op
|
|
import sqlalchemy as sa
|
|
|
|
|
|
# revision identifiers, used by Alembic.
|
|
revision: str = '1f6e54f6406a'
|
|
down_revision: str | None = 'ec43c338e155'
|
|
branch_labels: str | Sequence[str] | None = None
|
|
depends_on: str | Sequence[str] | None = None
|
|
|
|
|
|
def upgrade() -> None:
|
|
# ### commands auto generated by Alembic - please adjust! ###
|
|
op.create_table('sessions',
|
|
sa.Column('user_id', sa.Uuid(), nullable=False),
|
|
sa.Column('token_hash', sa.String(length=64), nullable=False),
|
|
sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
|
|
sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
|
|
sa.Column('revoked_at', sa.DateTime(timezone=True), nullable=True),
|
|
sa.Column('id', sa.Uuid(), nullable=False),
|
|
sa.ForeignKeyConstraint(['user_id'], ['users.id'], name=op.f('fk_sessions_user_id_users'), ondelete='CASCADE'),
|
|
sa.PrimaryKeyConstraint('id', name=op.f('pk_sessions'))
|
|
)
|
|
op.create_index(op.f('ix_sessions_token_hash'), 'sessions', ['token_hash'], unique=True)
|
|
op.create_index(op.f('ix_sessions_user_id'), 'sessions', ['user_id'], unique=False)
|
|
op.create_table('user_tokens',
|
|
sa.Column('user_id', sa.Uuid(), nullable=False),
|
|
sa.Column('purpose', sa.Enum('email_verify', 'password_reset', name='token_purpose'), nullable=False),
|
|
sa.Column('token_hash', sa.String(length=64), nullable=False),
|
|
sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
|
|
sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
|
|
sa.Column('used_at', sa.DateTime(timezone=True), nullable=True),
|
|
sa.Column('id', sa.Uuid(), nullable=False),
|
|
sa.ForeignKeyConstraint(['user_id'], ['users.id'], name=op.f('fk_user_tokens_user_id_users'), ondelete='CASCADE'),
|
|
sa.PrimaryKeyConstraint('id', name=op.f('pk_user_tokens'))
|
|
)
|
|
op.create_index(op.f('ix_user_tokens_token_hash'), 'user_tokens', ['token_hash'], unique=True)
|
|
op.create_index(op.f('ix_user_tokens_user_id'), 'user_tokens', ['user_id'], unique=False)
|
|
# ### end Alembic commands ###
|
|
|
|
|
|
def downgrade() -> None:
|
|
# ### commands auto generated by Alembic - please adjust! ###
|
|
op.drop_index(op.f('ix_user_tokens_user_id'), table_name='user_tokens')
|
|
op.drop_index(op.f('ix_user_tokens_token_hash'), table_name='user_tokens')
|
|
op.drop_table('user_tokens')
|
|
op.drop_index(op.f('ix_sessions_user_id'), table_name='sessions')
|
|
op.drop_index(op.f('ix_sessions_token_hash'), table_name='sessions')
|
|
op.drop_table('sessions')
|
|
# ### end Alembic commands ###
|
|
|
|
# Enum type created implicitly by create_table(); drop it for reversibility.
|
|
op.execute("DROP TYPE IF EXISTS token_purpose")
|