UMBRA/backend/app/models/user.py

from sqlalchemy import String, Boolean, Integer, func
from sqlalchemy.orm import Mapped, mapped_column
from datetime import datetime
from app.database import Base


class User(Base):
    __tablename__ = "users"

    id: Mapped[int] = mapped_column(primary_key=True, index=True)
    username: Mapped[str] = mapped_column(String(50), unique=True, nullable=False, index=True)
    password_hash: Mapped[str] = mapped_column(String(255), nullable=False)

    # MFA — populated in Track B
    # String(500) because Fernet-encrypted secrets are longer than raw base32
    totp_secret: Mapped[str | None] = mapped_column(String(500), nullable=True, default=None)
    totp_enabled: Mapped[bool] = mapped_column(Boolean, default=False)

    # Account lockout
    failed_login_count: Mapped[int] = mapped_column(Integer, default=0)
    locked_until: Mapped[datetime | None] = mapped_column(nullable=True, default=None)

    # Account state
    is_active: Mapped[bool] = mapped_column(Boolean, default=True)

    # RBAC
    role: Mapped[str] = mapped_column(
        String(30), nullable=False, default="standard", server_default="standard"
    )

    # MFA enforcement (admin can toggle; checked at login)
    mfa_enforce_pending: Mapped[bool] = mapped_column(
        Boolean, default=False, server_default="false"
    )

    # Forced password change (set after admin reset)
    must_change_password: Mapped[bool] = mapped_column(
        Boolean, default=False, server_default="false"
    )

    # Audit
    created_at: Mapped[datetime] = mapped_column(default=func.now())
    updated_at: Mapped[datetime] = mapped_column(default=func.now(), onupdate=func.now())
    last_login_at: Mapped[datetime | None] = mapped_column(nullable=True, default=None)
    last_password_change_at: Mapped[datetime | None] = mapped_column(nullable=True, default=None)