rohskiddo/UMBRA
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
UMBRA/backend/app/routers/calendars.py
Kyle Pope fbc452a004 Implement Stage 6 Track A: PIN → Username/Password auth migration 
- New User model (username, argon2id password_hash, totp fields, lockout)
- New UserSession model (DB-backed revocation, replaces in-memory set)
- New services/auth.py: Argon2id hashing, bcrypt→Argon2id upgrade path, URLSafeTimedSerializer session/MFA tokens
- New schemas/auth.py: SetupRequest, LoginRequest, ChangePasswordRequest with OWASP password strength validation
- Full rewrite of routers/auth.py: setup/login/logout/status/change-password with account lockout (10 failures → 30-min, HTTP 423), IP rate limiting retained as outer layer, get_current_user + get_current_settings dependencies replacing get_current_session
- Settings model: drop pin_hash, add user_id FK (nullable for migration)
- Schemas/settings.py: remove SettingsCreate, ChangePinRequest, _validate_pin_length
- Settings router: rewrite to use get_current_user + get_current_settings, preserve ntfy test endpoint
- All 11 consumer routers updated: auth-gate-only routers use get_current_user, routers reading Settings fields use get_current_settings
- config.py: add SESSION_MAX_AGE_DAYS, MFA_TOKEN_MAX_AGE_SECONDS, TOTP_ISSUER
- main.py: import User and UserSession models for Alembic discovery
- requirements.txt: add argon2-cffi>=23.1.0
- Migration 023: create users + user_sessions tables, migrate pin_hash → User row (admin), backfill settings.user_id, drop pin_hash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 04:12:37 +08:00

103 lines
3.3 KiB
Python
Raw Blame History

from fastapi import APIRouter, Depends, HTTPException
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy import select, update
from typing import List
from app.database import get_db
from app.models.calendar import Calendar
from app.models.calendar_event import CalendarEvent
from app.schemas.calendar import CalendarCreate, CalendarUpdate, CalendarResponse
from app.routers.auth import get_current_user
from app.models.user import User
router = APIRouter()
@router.get("/", response_model=List[CalendarResponse])
async def get_calendars(
db: AsyncSession = Depends(get_db),
current_user: User = Depends(get_current_user)
):
result = await db.execute(select(Calendar).order_by(Calendar.is_default.desc(), Calendar.name.asc()))
return result.scalars().all()
@router.post("/", response_model=CalendarResponse, status_code=201)
async def create_calendar(
calendar: CalendarCreate,
db: AsyncSession = Depends(get_db),
current_user: User = Depends(get_current_user)
):
new_calendar = Calendar(
name=calendar.name,
color=calendar.color,
is_default=False,
is_system=False,
is_visible=True,
)
db.add(new_calendar)
await db.commit()
await db.refresh(new_calendar)
return new_calendar
@router.put("/{calendar_id}", response_model=CalendarResponse)
async def update_calendar(
calendar_id: int,
calendar_update: CalendarUpdate,
db: AsyncSession = Depends(get_db),
current_user: User = Depends(get_current_user)
):
result = await db.execute(select(Calendar).where(Calendar.id == calendar_id))
calendar = result.scalar_one_or_none()
if not calendar:
raise HTTPException(status_code=404, detail="Calendar not found")
update_data = calendar_update.model_dump(exclude_unset=True)
# System calendars: allow visibility toggle but block name changes
if calendar.is_system and "name" in update_data:
raise HTTPException(status_code=400, detail="Cannot rename system calendars")
for key, value in update_data.items():
setattr(calendar, key, value)
await db.commit()
await db.refresh(calendar)
return calendar
@router.delete("/{calendar_id}", status_code=204)
async def delete_calendar(
calendar_id: int,
db: AsyncSession = Depends(get_db),
current_user: User = Depends(get_current_user)
):
result = await db.execute(select(Calendar).where(Calendar.id == calendar_id))
calendar = result.scalar_one_or_none()
if not calendar:
raise HTTPException(status_code=404, detail="Calendar not found")
if calendar.is_system:
raise HTTPException(status_code=400, detail="Cannot delete system calendars")
if calendar.is_default:
raise HTTPException(status_code=400, detail="Cannot delete the default calendar")
# Reassign all events on this calendar to the default calendar
default_result = await db.execute(select(Calendar).where(Calendar.is_default == True))
default_calendar = default_result.scalar_one_or_none()
if default_calendar:
await db.execute(
update(CalendarEvent)
.where(CalendarEvent.calendar_id == calendar_id)
.values(calendar_id=default_calendar.id)
)
await db.delete(calendar)
await db.commit()
return None
Reference in New Issue View Git Blame Copy Permalink