Kyle Pope
fbc452a004
- New User model (username, argon2id password_hash, totp fields, lockout) - New UserSession model (DB-backed revocation, replaces in-memory set) - New services/auth.py: Argon2id hashing, bcrypt→Argon2id upgrade path, URLSafeTimedSerializer session/MFA tokens - New schemas/auth.py: SetupRequest, LoginRequest, ChangePasswordRequest with OWASP password strength validation - Full rewrite of routers/auth.py: setup/login/logout/status/change-password with account lockout (10 failures → 30-min, HTTP 423), IP rate limiting retained as outer layer, get_current_user + get_current_settings dependencies replacing get_current_session - Settings model: drop pin_hash, add user_id FK (nullable for migration) - Schemas/settings.py: remove SettingsCreate, ChangePinRequest, _validate_pin_length - Settings router: rewrite to use get_current_user + get_current_settings, preserve ntfy test endpoint - All 11 consumer routers updated: auth-gate-only routers use get_current_user, routers reading Settings fields use get_current_settings - config.py: add SESSION_MAX_AGE_DAYS, MFA_TOKEN_MAX_AGE_SECONDS, TOTP_ISSUER - main.py: import User and UserSession models for Alembic discovery - requirements.txt: add argon2-cffi>=23.1.0 - Migration 023: create users + user_sessions tables, migrate pin_hash → User row (admin), backfill settings.user_id, drop pin_hash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
15 lines
281 B
Plaintext
15 lines
281 B
Plaintext
fastapi==0.115.6
|
|
uvicorn[standard]==0.34.0
|
|
sqlalchemy[asyncio]==2.0.36
|
|
asyncpg==0.30.0
|
|
alembic==1.14.1
|
|
pydantic==2.10.4
|
|
pydantic-settings==2.7.1
|
|
bcrypt==4.2.1
|
|
argon2-cffi>=23.1.0
|
|
python-multipart==0.0.20
|
|
python-dateutil==2.9.0
|
|
itsdangerous==2.2.0
|
|
httpx==0.27.2
|
|
apscheduler==3.10.4
|