feat: user management

Author: Leoglme

api/core/deps.py

@@ -48,7 +48,11 @@ def get_current_user(
     credentials: Annotated[HTTPAuthorizationCredentials | None, Depends(security)],
     db: Annotated[Session, Depends(get_db)],
 ) -> User:
-    """Require a valid Bearer JWT and return the ``User`` row."""
+    """Require a valid Bearer JWT and return the ``User`` row.
+
+    Tokens belonging to non-approved users (banned, rejected, pending) are
+    rejected so revoking access takes effect on every API call.
+    """
     if credentials is None:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
     try:
@@ -59,6 +63,8 @@ def get_current_user(
     user = db.get(User, user_id)
     if user is None:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
+    if user.status != "approved":
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access revoked")
     return user
 
 
@@ -75,3 +81,12 @@ def get_current_user_optional(
     except (JWTError, ValueError):
         return None
     return db.get(User, user_id)
+
+
+def get_current_admin(
+    user: Annotated[User, Depends(get_current_user)],
+) -> User:
+    """Require a logged-in user with the admin flag."""
+    if not user.is_admin:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin only")
+    return user

api/main.py

@@ -17,6 +17,7 @@
 from fastapi.responses import JSONResponse
 
 from config import get_settings
+from routes import access_requests as access_requests_routes
 from routes import articles as articles_routes
 from routes import auth as auth_routes
 from routes import ebay_route
@@ -95,6 +96,7 @@ def health() -> dict[str, str]:
 
 app.include_router(auth_routes.router, prefix="/auth")
 app.include_router(users_routes.router)
+app.include_router(access_requests_routes.router)
 app.include_router(articles_routes.router)
 app.include_router(settings_route.router)
 app.include_router(ebay_route.router)

api/migrations/005_access_requests.sql

@@ -0,0 +1,13 @@
+-- Access requests, admin flag and password setup tokens.
+
+ALTER TABLE users MODIFY COLUMN `password` VARCHAR(255) NULL;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS is_admin TINYINT(1) NOT NULL DEFAULT 0;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS status VARCHAR(16) NOT NULL DEFAULT 'pending';
+ALTER TABLE users ADD COLUMN IF NOT EXISTS request_message TEXT NULL;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS password_setup_token VARCHAR(64) NULL;
+ALTER TABLE users ADD COLUMN IF NOT EXISTS password_setup_expires_at DATETIME(6) NULL;
+
+-- Existing rows (pre-migration) are real users created by the admin → mark approved.
+UPDATE users SET status = 'approved' WHERE status IS NULL OR status = '' OR status = 'pending';
+
+CREATE UNIQUE INDEX IF NOT EXISTS uq_users_password_setup_token ON users (password_setup_token);

api/models/user.py

@@ -4,11 +4,14 @@
 
 import datetime as dt
 
-from sqlalchemy import DateTime, String, Text
+from sqlalchemy import Boolean, DateTime, String, Text
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from models.base import Base
 
+#: Application-wide allowed user statuses.
+USER_STATUSES = ("pending", "approved", "rejected", "banned")
+
 
 class User(Base):
     """Application user with login and optional Vinted credentials (hashed)."""
@@ -17,7 +20,8 @@ class User(Base):
 
     id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
     email: Mapped[str] = mapped_column(String(255), unique=True, index=True)
-    password: Mapped[str] = mapped_column("password", String(255))
+    #: Bcrypt hash. ``None`` while the user has only requested access (no password yet).
+    password: Mapped[str | None] = mapped_column("password", String(255), nullable=True)
     vinted_email: Mapped[str | None] = mapped_column(String(255), nullable=True)
     vinted_password: Mapped[str | None] = mapped_column("vinted_password", String(255), nullable=True)
     ebay_refresh_token: Mapped[str | None] = mapped_column(Text(), nullable=True)
@@ -26,6 +30,23 @@ class User(Base):
         DateTime(timezone=True),
         nullable=True,
     )
+    #: True only for the admin user (seeded from SEED_USER_EMAIL).
+    is_admin: Mapped[bool] = mapped_column(Boolean(), default=False, server_default="0", nullable=False)
+    #: pending | approved | rejected | banned
+    status: Mapped[str] = mapped_column(
+        String(16),
+        default="pending",
+        server_default="pending",
+        nullable=False,
+    )
+    #: Message attached to the access request (filled from /request).
+    request_message: Mapped[str | None] = mapped_column(Text(), nullable=True)
+    #: Single-use token allowing the user to set/reset their password.
+    password_setup_token: Mapped[str | None] = mapped_column(String(64), nullable=True, unique=True)
+    password_setup_expires_at: Mapped[dt.datetime | None] = mapped_column(
+        DateTime(timezone=True),
+        nullable=True,
+    )
     created_at: Mapped[dt.datetime] = mapped_column(
         DateTime(timezone=True),
         default=lambda: dt.datetime.now(dt.UTC),

api/routes/access_requests.py

@@ -0,0 +1,148 @@
+"""Public access requests + admin moderation + password setup links."""
+
+from __future__ import annotations
+
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, Request
+from sqlalchemy.orm import Session
+
+from core.database import get_db
+from core.deps import get_current_admin
+from models.user import User
+from routes.users import _serialize_admin
+from schemas.access_requests import (
+    AccessRequestCreate,
+    AccessRequestSubmittedResponse,
+    PasswordSetupCompleteRequest,
+    PasswordSetupInfoResponse,
+    PasswordSetupTokenResponse,
+)
+from schemas.users import AdminUserResponse
+from services import access_request_service
+from services.access_request_service import _as_utc as _as_utc_dt
+
+
+def _iso_utc(value) -> str:
+    """ISO 8601 in UTC (with explicit ``+00:00``) so JS clients parse correctly."""
+    aware = _as_utc_dt(value)
+    return aware.isoformat() if aware else ""
+
+router = APIRouter()
+
+# ----------------------------------------------------------------------- public
+
+requests_router = APIRouter(prefix="/access-requests", tags=["access-requests"])
+
+
+@requests_router.post(
+    "",
+    response_model=AccessRequestSubmittedResponse,
+    status_code=201,
+)
+def submit_access_request(
+    body: AccessRequestCreate,
+    db: Annotated[Session, Depends(get_db)],
+) -> AccessRequestSubmittedResponse:
+    user = access_request_service.submit_access_request(
+        db,
+        email=body.email,
+        message=body.message,
+    )
+    return AccessRequestSubmittedResponse(email=user.email)
+
+
+# ----------------------------------------------------------------------- admin
+
+
+@requests_router.post("/{user_id}/approve", response_model=AdminUserResponse)
+def approve(
+    user_id: int,
+    db: Annotated[Session, Depends(get_db)],
+    _: Annotated[User, Depends(get_current_admin)],
+) -> AdminUserResponse:
+    user = access_request_service.approve(db, user_id)
+    return _serialize_admin(db, user)
+
+
+@requests_router.post("/{user_id}/reject", response_model=AdminUserResponse)
+def reject(
+    user_id: int,
+    db: Annotated[Session, Depends(get_db)],
+    _: Annotated[User, Depends(get_current_admin)],
+) -> AdminUserResponse:
+    user = access_request_service.reject(db, user_id)
+    return _serialize_admin(db, user)
+
+
+@requests_router.post("/{user_id}/ban", response_model=AdminUserResponse)
+def ban(
+    user_id: int,
+    db: Annotated[Session, Depends(get_db)],
+    _: Annotated[User, Depends(get_current_admin)],
+) -> AdminUserResponse:
+    user = access_request_service.ban(db, user_id)
+    return _serialize_admin(db, user)
+
+
+def _build_setup_url(request: Request, token: str) -> str:
+    """Try the ``Origin`` header first (browser caller), fallback to the API host."""
+    origin = request.headers.get("origin") or request.headers.get("referer")
+    if origin:
+        # Strip any trailing path on referer, keep scheme + host.
+        from urllib.parse import urlparse
+
+        parsed = urlparse(origin)
+        if parsed.scheme and parsed.netloc:
+            return f"{parsed.scheme}://{parsed.netloc}/setup-password/{token}"
+    base = str(request.base_url).rstrip("/")
+    return f"{base}/setup-password/{token}"
+
+
+@requests_router.post("/{user_id}/password-link", response_model=PasswordSetupTokenResponse)
+def issue_password_link(
+    user_id: int,
+    request: Request,
+    db: Annotated[Session, Depends(get_db)],
+    _: Annotated[User, Depends(get_current_admin)],
+) -> PasswordSetupTokenResponse:
+    user, token = access_request_service.generate_password_setup_token(db, user_id)
+    return PasswordSetupTokenResponse(
+        token=token,
+        expires_at=_iso_utc(user.password_setup_expires_at),
+        setup_url=_build_setup_url(request, token),
+    )
+
+
+# ----------------------------------------------------------------- password setup
+
+password_setup_router = APIRouter(prefix="/password-setup", tags=["password-setup"])
+
+
+@password_setup_router.get("/{token}", response_model=PasswordSetupInfoResponse)
+def get_password_setup_info(
+    token: str,
+    db: Annotated[Session, Depends(get_db)],
+) -> PasswordSetupInfoResponse:
+    user = access_request_service.get_user_by_setup_token(db, token)
+    return PasswordSetupInfoResponse(
+        email=user.email,
+        expires_at=_iso_utc(user.password_setup_expires_at),
+    )
+
+
+@password_setup_router.post("/{token}", response_model=PasswordSetupInfoResponse)
+def complete_password_setup(
+    token: str,
+    body: PasswordSetupCompleteRequest,
+    db: Annotated[Session, Depends(get_db)],
+) -> PasswordSetupInfoResponse:
+    user = access_request_service.consume_setup_token(db, token, password=body.password)
+    return PasswordSetupInfoResponse(
+        email=user.email,
+        expires_at="",
+    )
+
+
+router.include_router(requests_router)
+router.include_router(password_setup_router)

api/routes/auth.py

@@ -21,5 +21,12 @@ def login(body: LoginRequest, db: Annotated[Session, Depends(get_db)]) -> TokenR
     user = auth_service.authenticate_user(db, body.email, body.password)
     if user is None:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
+    if user.status == "banned":
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Account banned")
+    if user.status == "rejected":
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access request rejected")
+    if user.status != "approved":
+        # 'pending' or any unknown intermediate state.
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access not granted yet")
     token = create_access_token(user.id)
     return TokenResponse(access_token=token)