Merge remote-tracking branch 'origin/main' into modal

Author: github-actions[bot]

.claude/settings.local.json

@@ -10,7 +10,8 @@
       "Explore",
       "Find",
       "Search",
-      "WebSearch"
+      "WebSearch",
+      "WebFetch(*)"
     ]
   }
 }

.github/workflows/propagate.yml

@@ -0,0 +1,66 @@
+name: propagate
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  propagate:
+    strategy:
+      matrix:
+        branch: [modal, hetzner]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: create_token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.create_token.outputs.token }}
+
+      - name: Attempt merge and push, or open PR on conflict
+        env:
+          GH_TOKEN: ${{ steps.create_token.outputs.token }}
+          BRANCH: ${{ matrix.branch }}
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git checkout "$BRANCH"
+
+          if git merge origin/main --no-edit; then
+            echo "Merge succeeded, pushing to $BRANCH"
+            git push origin "$BRANCH"
+          else
+            echo "Merge conflict detected, opening PR"
+            git merge --abort
+
+            # Create a temporary branch for the PR
+            TEMP_BRANCH="auto-merge/main-to-${BRANCH}-$(date +%Y%m%d%H%M%S)"
+            git checkout -b "$TEMP_BRANCH" origin/main
+
+            git push origin "$TEMP_BRANCH"
+
+            gh pr create \
+              --base "$BRANCH" \
+              --head "$TEMP_BRANCH" \
+              --title "Propagate main to ${BRANCH}" \
+              --body "$(cat <<'PREOF'
+          ## Summary
+          - Auto-generated PR to propagate changes from `main` to the deployment branch
+          - Opened because an automatic merge had conflicts that need manual resolution
+
+          🤖 Generated by the propagate workflow
+          PREOF
+              )"
+          fi

docs/architecture.qmd

@@ -8,7 +8,7 @@ description: "Overview of the FastAPI webapp template architecture including dat
 This application uses a **hybrid Post-Redirect-Get (PRG) + HTMX** architecture. Every mutating endpoint supports both paths simultaneously:
 
 - **Non-HTMX path (PRG):** A standard browser form submission sends a POST request. On success the server issues a `303 See Other` redirect to a GET endpoint, which re-renders the full page with updated data. On error a full-page error template is returned.
-- **HTMX path:** When the browser sends the `HX-Request: true` header (added automatically by [htmx.org](https://htmx.org)), the same POST endpoint detects the header via `utils/htmx.py:is_htmx_request()` and instead returns a `200` HTML partial that HTMX swaps into the relevant section of the page. On error a toast partial is returned and swapped into `#toast-container` via out-of-band (OOB) swap.
+- **HTMX path:** When the browser sends the `HX-Request: true` header (added automatically by [htmx.org](https://htmx.org)), the same POST endpoint detects the header via `utils/core/htmx.py:is_htmx_request()` and instead returns a `200` HTML partial that HTMX swaps into the relevant section of the page. On error a toast partial is returned and swapped into `#toast-container` via out-of-band (OOB) swap.
 
 The HTMX rollout keeps the existing POST route contract intact — dedicated `PUT`/`PATCH`/`DELETE` routes may be introduced in a future iteration.
 
@@ -129,7 +129,7 @@ Toast partials are rendered from `templates/base/partials/toast.html` and inject
 
 ### HTMX request detection
 
-All HTMX-aware endpoints use the `is_htmx_request()` helper from `utils/htmx.py`:
+All HTMX-aware endpoints use the `is_htmx_request()` helper from `utils/core/htmx.py`:
 
 ```python
 def is_htmx_request(request: Request) -> bool:

docs/customization.qmd

@@ -128,7 +128,7 @@ The GET route for the homepage is defined in the main entry point for the applic
 
 We name our GET routes using the convention `read_<name>`, where `<name>` is the name of the resource, to indicate that they are read-only endpoints that do not modify the database. In POST routes that modify the database, you can use the `get_session` dependency as an argument to get a database session.
 
-Routes that require authentication generally take the `get_authenticated_account` dependency as an argument. Unauthenticated GET routes generally take the `get_optional_user` dependency as an argument. If a route should *only* be seen by authenticated users (i.e., a login page), you can redirect to the dashboard if `get_optional_user` returns a `User` object.
+Routes that require authentication generally take the `get_authenticated_account` dependency as an argument. Unauthenticated GET routes generally take the `get_optional_user` dependency as an argument. Routes that should *only* be seen by unauthenticated users (e.g., login, register) use the `require_unauthenticated_client` dependency, which automatically redirects authenticated users to the dashboard. Routes that require re-verification of credentials (e.g., account deletion) use the `get_verified_account` dependency, which wraps `get_authenticated_account` with an additional email/password check.
 
 ### Context variables
 
@@ -173,7 +173,7 @@ Middleware functions are decorated with `@app.exception_handler(ExceptionType)`
 Here's a middleware for handling the `PasswordValidationError` exception, which returns a toast partial for HTMX requests or a full error page for non-HTMX requests:
 
 ```python
-from utils.htmx import is_htmx_request
+from utils.core.htmx import is_htmx_request
 
 @app.exception_handler(PasswordValidationError)
 async def password_validation_exception_handler(request: Request, exc: PasswordValidationError):

docs/static/documentation.txt

@@ -229,7 +229,7 @@ description: "Overview of the FastAPI webapp template architecture including dat
 This application uses a **hybrid Post-Redirect-Get (PRG) + HTMX** architecture. Every mutating endpoint supports both paths simultaneously:
 
 - **Non-HTMX path (PRG):** A standard browser form submission sends a POST request. On success the server issues a `303 See Other` redirect to a GET endpoint, which re-renders the full page with updated data. On error a full-page error template is returned.
-- **HTMX path:** When the browser sends the `HX-Request: true` header (added automatically by [htmx.org](https://htmx.org)), the same POST endpoint detects the header via `utils/htmx.py:is_htmx_request()` and instead returns a `200` HTML partial that HTMX swaps into the relevant section of the page. On error a toast partial is returned and swapped into `#toast-container` via out-of-band (OOB) swap.
+- **HTMX path:** When the browser sends the `HX-Request: true` header (added automatically by [htmx.org](https://htmx.org)), the same POST endpoint detects the header via `utils/core/htmx.py:is_htmx_request()` and instead returns a `200` HTML partial that HTMX swaps into the relevant section of the page. On error a toast partial is returned and swapped into `#toast-container` via out-of-band (OOB) swap.
 
 The HTMX rollout keeps the existing POST route contract intact — dedicated `PUT`/`PATCH`/`DELETE` routes may be introduced in a future iteration.
 
@@ -350,7 +350,7 @@ Toast partials are rendered from `templates/base/partials/toast.html` and inject
 
 ### HTMX request detection
 
-All HTMX-aware endpoints use the `is_htmx_request()` helper from `utils/htmx.py`:
+All HTMX-aware endpoints use the `is_htmx_request()` helper from `utils/core/htmx.py`:
 
 ```python
 def is_htmx_request(request: Request) -> bool:
@@ -843,7 +843,7 @@ Middleware functions are decorated with `@app.exception_handler(ExceptionType)`
 Here's a middleware for handling the `PasswordValidationError` exception, which returns a toast partial for HTMX requests or a full error page for non-HTMX requests:
 
 ```python
-from utils.htmx import is_htmx_request
+from utils.core.htmx import is_htmx_request
 
 @app.exception_handler(PasswordValidationError)
 async def password_validation_exception_handler(request: Request, exc: PasswordValidationError):

exceptions/http_exceptions.py

@@ -35,6 +35,15 @@ def __init__(self):
         )
 
 
+class AlreadyAuthenticatedError(HTTPException):
+    """Raised when an authenticated user tries to access a page meant for unauthenticated users."""
+    def __init__(self):
+        super().__init__(
+            status_code=status.HTTP_303_SEE_OTHER,
+            headers={"Location": "/dashboard/"}
+        )
+
+
 class PasswordValidationError(HTTPException):
     def __init__(self, field: str, message: str):
         super().__init__(

main.py

@@ -1,5 +1,4 @@
 import logging
-from typing import Optional
 from contextlib import asynccontextmanager
 from dotenv import load_dotenv
 from fastapi import FastAPI, Request, Depends, status
@@ -10,12 +9,13 @@
 from starlette.exceptions import HTTPException as StarletteHTTPException
 from routers.core import account, dashboard, organization, role, user, static_pages, invitation
 from utils.core.dependencies import (
-    get_optional_user,
-    get_user_from_request
+    get_user_from_request,
+    require_unauthenticated_client
 )
 from utils.core.auth import COOKIE_SECURE
-from utils.htmx import is_htmx_request, toast_response
+from utils.core.htmx import is_htmx_request, toast_response
 from exceptions.http_exceptions import (
+    AlreadyAuthenticatedError,
     AuthenticationError,
     PasswordValidationError,
     CredentialsError,
@@ -25,7 +25,6 @@
     NeedsNewTokens
 )
 from utils.core.db import set_up_db
-from utils.core.models import User
 
 logger = logging.getLogger("uvicorn.error")
 logger.setLevel(logging.DEBUG)
@@ -76,6 +75,19 @@ async def authentication_error_handler(request: Request, exc: AuthenticationErro
     )
 
 
+# Handle AlreadyAuthenticatedError by redirecting to dashboard
+@app.exception_handler(AlreadyAuthenticatedError)
+async def already_authenticated_error_handler(request: Request, exc: AlreadyAuthenticatedError):
+    if is_htmx_request(request):
+        response = Response(status_code=200)
+        response.headers["HX-Redirect"] = str(request.url_for("read_dashboard"))
+        return response
+    return RedirectResponse(
+        url=app.url_path_for("read_dashboard"),
+        status_code=status.HTTP_302_FOUND
+    )
+
+
 # Handle RateLimitError (429 Too Many Requests)
 @app.exception_handler(RateLimitError)
 async def rate_limit_error_handler(request: Request, exc: RateLimitError):
@@ -88,7 +100,7 @@ async def rate_limit_error_handler(request: Request, exc: RateLimitError):
     response = templates.TemplateResponse(
         request,
         "errors/error.html",
-        {"status_code": 429, "detail": exc.detail, "user": user},
+        {"status_code": 429, "detail": exc.detail, "errors": None, "user": user},
         status_code=429,
     )
     response.headers["Retry-After"] = str(exc.retry_after)
@@ -107,7 +119,7 @@ async def credentials_exception_handler(request: Request, exc: CredentialsError)
     return templates.TemplateResponse(
         request,
         "errors/error.html",
-        {"status_code": exc.status_code, "detail": exc.detail, "user": user},
+        {"status_code": exc.status_code, "detail": exc.detail, "errors": None, "user": user},
         status_code=exc.status_code,
     )
 
@@ -162,6 +174,7 @@ async def password_validation_exception_handler(
         "errors/error.html",
         {
             "status_code": 422,
+            "detail": None,
             "errors": {field.replace("_", " ").title(): message},
             "user": user
         },
@@ -226,6 +239,7 @@ async def validation_exception_handler(
         "errors/error.html",
         {
             "status_code": 422,
+            "detail": None,
             "errors": errors,
             "user": user
         },
@@ -246,7 +260,7 @@ async def http_exception_handler(request: Request, exc: StarletteHTTPException):
     return templates.TemplateResponse(
         request,
         "errors/error.html",
-        {"status_code": exc.status_code, "detail": exc.detail, "user": user},
+        {"status_code": exc.status_code, "detail": exc.detail, "errors": None, "user": user},
         status_code=exc.status_code,
     )
 
@@ -271,6 +285,7 @@ async def general_exception_handler(request: Request, exc: Exception):
         {
             "status_code": 500,
             "detail": "Internal Server Error",
+            "errors": None,
             "user": user
         },
         status_code=500,
@@ -283,14 +298,12 @@ async def general_exception_handler(request: Request, exc: Exception):
 @app.get("/")
 async def read_home(
     request: Request,
-    user: Optional[User] = Depends(get_optional_user)
+    _: None = Depends(require_unauthenticated_client)
 ):
-    if user:
-        return RedirectResponse(url=app.url_path_for("read_dashboard"), status_code=302)
     return templates.TemplateResponse(
         request,
         "index.html",
-        {"user": user}
+        {"user": None}
     )
 
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "fastapi-jinja2-postgres-webapp"
-version = "0.1.11"
+version = "0.1.13"
 description = "A template webapp with a pure-Python FastAPI backend, frontend templating with Jinja2, and a Postgres database to power user auth"
 readme = "README.md"
 package-mode = false
@@ -34,6 +34,7 @@ dev = [
     "sqlalchemy-schemadisplay<3.0,>=2.0",
     "ty>=0.0.21",
     "ruff>=0.15.5",
+    "pytest-jinja-check[fastapi]>=1.0.2",
 ]
 
 [tool.ty.rules]