feat: link pastes to user accounts with ownership tracking

Add user_id FK to pastes table so authenticated users' pastes are
associated with their account. Adds GET /pastes/me endpoint to
retrieve a user's own pastes.

Author: Pdzly

README.md

@@ -53,8 +53,9 @@ Full reference: [`docs/configuration.md`](docs/configuration.md)
 |----------|-------------|
 | `GET /health` | Health check |
 | `GET /metrics` | Prometheus metrics |
-| `POST /pastes` | Create paste |
+| `POST /pastes` | Create paste (linked to account if authenticated) |
 | `GET /pastes/{id}` | Get paste |
+| `GET /pastes/me` | Get authenticated user's pastes |
 | `DELETE /pastes/{id}` | Delete paste |
 | `POST /auth/register` | Register a new user |
 | `POST /auth/login` | Authenticate and get tokens |

backend/alembic/versions/20260404_add_user_id_to_pastes.py

@@ -0,0 +1,38 @@
+"""Add user_id to pastes
+
+Revision ID: add_user_id_to_pastes
+Revises: add_auth_tables
+Create Date: 2026-04-04
+
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "add_user_id_to_pastes"
+down_revision: str | None = "add_auth_tables"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.add_column("pastes", sa.Column("user_id", sa.UUID(as_uuid=True), nullable=True))
+    op.create_foreign_key(
+        "fk_pastes_user_id",
+        "pastes",
+        "users",
+        ["user_id"],
+        ["id"],
+        ondelete="SET NULL",
+    )
+    op.create_index("idx_pastes_user_id", "pastes", ["user_id"])
+
+
+def downgrade() -> None:
+    op.drop_index("idx_pastes_user_id", table_name="pastes")
+    op.drop_constraint("fk_pastes_user_id", "pastes", type_="foreignkey")
+    op.drop_column("pastes", "user_id")

backend/app/api/dto/paste_dto.py

@@ -82,6 +82,10 @@ class PasteResponse(BaseModel):
     id: UUID4 = Field(
         description="The unique identifier of the paste",
     )
+    user_id: UUID4 | None = Field(
+        None,
+        description="The ID of the user who created the paste (null if anonymous)",
+    )
     title: str = Field(
         description="The title of the paste",
     )

backend/app/api/subroutes/pastes.py

@@ -20,7 +20,7 @@
 )
 from app.config import config
 from app.containers import Container
-from app.dependencies.auth import get_optional_current_user
+from app.dependencies.auth import get_current_user, get_optional_current_user
 from app.exceptions import PasteNotFoundError
 from app.ratelimit import create_auth_aware_key_func, create_auth_aware_limit_resolver, create_limit_resolver, limiter
 from app.services.paste_service import PasteService
@@ -58,6 +58,23 @@ async def _resolve_optional_user(
 delete_token_key_header = APIKeyHeader(name="Authorization", scheme_name="Delete Token")
 
 
+@pastes_route.get(
+    "/me",
+    response_model=list[PasteResponse],
+    summary="Get pastes for the authenticated user",
+    description="Retrieve all pastes created by the currently authenticated user.",
+)
+@limiter.limit(create_limit_resolver(config, "get_paste"), key_func=lambda r: ratelimit.get_exempt_key(r))
+@inject
+async def get_user_pastes(
+    request: Request,
+    paste_service: PasteService = Depends(Provide[Container.paste_service]),
+    current_user=Depends(get_current_user),
+):
+    """Get all pastes belonging to the authenticated user."""
+    return await paste_service.get_user_pastes(current_user.id)
+
+
 @pastes_route.get(
     "/legacy/{paste_id}",
     responses={404: {"model": ErrorResponse}, 200: {"model": LegacyPasteResponse}},
@@ -212,7 +229,12 @@ async def create_paste(
     _current_user=Depends(_resolve_optional_user),
 ):
     """Create a new paste and return edit/delete tokens."""
-    return await paste_service.create_paste(create_paste_body, request.state.user_metadata)
+    user = request.state.current_user
+    return await paste_service.create_paste(
+        create_paste_body,
+        request.state.user_metadata,
+        user_id=user.id if user else None,
+    )
 
 
 @pastes_route.put(

backend/app/db/models.py

@@ -23,6 +23,7 @@ class PasteEntity(Base):
         Index("idx_pastes_expires_at", "expires_at"),
         Index("idx_pastes_deleted_at", "deleted_at"),
         Index("idx_pastes_created_at", "created_at"),
+        Index("idx_pastes_user_id", "user_id"),
     )
 
     id = Column(UUID(as_uuid=True), primary_key=True, server_default=UUID_DEFAULT)
@@ -47,6 +48,12 @@ class PasteEntity(Base):
     delete_token = Column(String)
     deleted_at = Column(TIMESTAMP(timezone=True), nullable=True)
 
+    user_id = Column(
+        UUID(as_uuid=True), ForeignKey("users.id", ondelete="SET NULL"), nullable=True
+    )
+
+    user = relationship("UserEntity", back_populates="pastes")
+
     def __repr__(self):
         return f"<Paste(id={self.id}, title='{self.title}')>"
 
@@ -95,6 +102,7 @@ class UserEntity(Base):
     refresh_tokens = relationship(
         "RefreshTokenEntity", back_populates="user", cascade="all, delete-orphan"
     )
+    pastes = relationship("PasteEntity", back_populates="user")
 
     def __repr__(self):
         return f"<User(id={self.id}, username='{self.username}')>"

backend/app/services/paste_service.py

@@ -240,6 +240,7 @@ async def get_paste_by_id(self, paste_id: UUID4) -> PasteResponse | None:
             paste_operations.labels(operation="get", status="success").inc()
             return PasteResponse(
                 id=result.id,
+                user_id=result.user_id,
                 title=result.title,
                 content=content,
                 content_language=PasteContentLanguage(result.content_language),
@@ -326,6 +327,7 @@ async def edit_paste(self, paste_id: UUID4, edit_paste: EditPaste, edit_token: s
             paste_operations.labels(operation="edit", status="success").inc()
             return PasteResponse(
                 id=result.id,
+                user_id=result.user_id,
                 title=result.title,
                 content=content,
                 content_language=PasteContentLanguage(result.content_language),
@@ -380,7 +382,7 @@ async def delete_paste(self, paste_id: UUID4, delete_token: str) -> bool:
                 counter.dec()
             return True
 
-    async def create_paste(self, paste: CreatePaste, user_data: UserMetaData) -> PasteResponse:
+    async def create_paste(self, paste: CreatePaste, user_data: UserMetaData, user_id: uuid.UUID | None = None) -> PasteResponse:
         if not self.verify_storage_limit():
             paste_operations.labels(operation="create", status="storage_limit").inc()
             raise HTTPException(
@@ -426,6 +428,7 @@ async def create_paste(self, paste: CreatePaste, user_data: UserMetaData) -> Pas
                     original_size=original_size,
                     edit_token=edit_token_hashed,
                     delete_token=delete_token_hashed,
+                    user_id=user_id,
                 )
                 session.add(entity)
                 await session.commit()
@@ -442,6 +445,7 @@ async def create_paste(self, paste: CreatePaste, user_data: UserMetaData) -> Pas
 
                 return CreatePasteResponse(
                     id=entity.id,
+                    user_id=entity.user_id,
                     title=entity.title,
                     content=paste.content,
                     content_language=PasteContentLanguage(entity.content_language),
@@ -460,3 +464,39 @@ async def create_paste(self, paste: CreatePaste, user_data: UserMetaData) -> Pas
                 detail="Failed to create paste",
                 headers={"Retry-After": "60"},
             ) from exc
+
+    async def get_user_pastes(self, user_id: uuid.UUID) -> list[PasteResponse]:
+        async with self.session_maker() as session:
+            stmt = (
+                select(PasteEntity)
+                .where(
+                    PasteEntity.user_id == user_id,
+                    PasteEntity.deleted_at.is_(None),
+                    or_(
+                        PasteEntity.expires_at > datetime.now(tz=UTC),
+                        PasteEntity.expires_at.is_(None),
+                    ),
+                )
+                .order_by(PasteEntity.created_at.desc())
+            )
+            results = (await session.execute(stmt)).scalars().all()
+
+            pastes = []
+            for result in results:
+                content = await self._read_content(
+                    result.content_path,
+                    is_compressed=result.is_compressed,
+                )
+                pastes.append(
+                    PasteResponse(
+                        id=result.id,
+                        user_id=result.user_id,
+                        title=result.title,
+                        content=content,
+                        content_language=PasteContentLanguage(result.content_language),
+                        created_at=result.created_at,
+                        expires_at=result.expires_at,
+                        last_updated_at=result.last_updated_at,
+                    )
+                )
+            return pastes