Kyle Pope bcfebbc9ae feat(backend): Phase 1 passwordless login — migration, models, toggle endpoints, unlock, delete guard, admin controls ...

- Migration 062: adds users.passwordless_enabled and system_config.allow_passwordless (both default false)
- User model: passwordless_enabled field after must_change_password
- SystemConfig model: allow_passwordless field after enforce_mfa_new_users
- auth.py login(): block passwordless-enabled accounts from password login path (403) with audit log
- auth.py auth_status(): change has_passkeys query to full COUNT, add passkey_count + passwordless_enabled to response
- auth.py get_current_user(): add /api/auth/passkeys/login/begin and /login/complete to lock_exempt set
- passkeys.py: add PasswordlessEnableRequest + PasswordlessDisableRequest schemas
- passkeys.py: PUT /passwordless/enable — verify password, check system config, require >= 2 passkeys, set flag
- passkeys.py: POST /passwordless/disable/begin — generate user-bound challenge for passkey auth ceremony
- passkeys.py: PUT /passwordless/disable — verify passkey auth response, clear flag, update sign count
- passkeys.py: PasskeyLoginCompleteRequest.unlock field — passkey re-auth into locked session without new session
- passkeys.py: delete guard — 409 if passwordless user attempts to drop below 2 passkeys
- schemas/admin.py: add passwordless_enabled to UserListItem + UserDetailResponse; add allow_passwordless to SystemConfigResponse + SystemConfigUpdate; add TogglePasswordlessRequest
- admin.py: PUT /users/{user_id}/passwordless — admin-only disable (enabled=False only), revokes all sessions, audit log
- admin.py: update_system_config handles allow_passwordless field

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-18 00:15:39 +08:00

..

__init__.py

Address all QA review warnings and suggestions for lock screen feature

2026-02-25 18:20:42 +08:00

admin.py

feat(backend): Phase 1 passwordless login — migration, models, toggle endpoints, unlock, delete guard, admin controls

2026-03-18 00:15:39 +08:00

auth.py

Allow dots in umbral name validation (matches username regex)

2026-03-05 20:30:27 +08:00

calendar_event.py

Fix QA findings: single UNION query, weekly validation, nginx docs

2026-03-15 01:46:11 +08:00

calendar.py

Phase 6: Real-time sync, drag-drop guards, security fix, invite bug fix, UI polish

2026-03-06 16:46:15 +08:00

connection.py

Allow dots in umbral name validation (matches username regex)

2026-03-05 20:30:27 +08:00

event_invitation.py

Fix QA and pentest findings for event invitations

2026-03-17 01:28:01 +08:00

event_template.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

location.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00

notification.py

Fix QA review findings: race condition, detached session, validation

2026-03-04 06:36:14 +08:00

person.py

Add user connections, notification centre, and people integration

2026-03-04 02:10:16 +08:00

project_member.py

Polish pass: action all remaining QA suggestions before merge

2026-03-17 05:28:34 +08:00

project_task_assignment.py

Polish pass: action all remaining QA suggestions before merge

2026-03-17 05:28:34 +08:00

project_task.py

Add collaborative project sharing, task assignments, and delta polling

2026-03-17 03:18:35 +08:00

project.py

Polish pass: action all remaining QA suggestions before merge

2026-03-17 05:28:34 +08:00

reminder.py

Redesign Upcoming Widget with day groups, status pills, and inline actions

2026-03-11 21:07:14 +08:00

settings.py

Fix notification background polling, add first/last name sharing

2026-03-04 07:34:13 +08:00

shared_calendar.py

Fix QA review findings: 3 critical, 5 warnings, 1 suggestion

2026-03-06 23:41:08 +08:00

task_comment.py

Polish pass: action all remaining QA suggestions before merge

2026-03-17 05:28:34 +08:00

todo.py

M-01+M-03: Add input validation and extra=forbid to all request schemas

2026-02-27 15:43:55 +08:00