Multi-user via PocketID: account linking, group gating, admin user management

PocketID OIDC already auto-provisioned users keyed by pocketid_sub, and the data layer was already fully user-scoped. This adds the missing pieces for running real multi-user: - auth.py callback: link by email to an existing un-linked account (so the admin keeps their data when first signing in by passkey), collision-safe username generation, and request the `groups` scope. - Group gating: optional pocketid_allowed_group (admin-config or POCKETID_ALLOWED_GROUP env); users lacking the group are rejected at the callback and redirected to /login?auth_error=not_authorized. - New admin users API (app/api/users.py): list users, promote/demote admin (guards against demoting/locking out the last admin or yourself), and delete a user with ordered bulk deletes of all their data + on-disk files. - ProfilePage: allowed-group field; LoginPage: rejected-login message; Layout: admin-only Users nav; new UsersPage. Resync milevault_export to current source (it had drifted many features behind — missing garmin_sync, npm-ci Dockerfile and @polyline-codec that broke its own CI) and add POCKETID_ALLOWED_GROUP to .env.example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 13:19:55 +01:00
parent bc4d68da07
commit 0e4bc7b444
46 changed files with 3282 additions and 588 deletions
@@ -1,6 +1,6 @@
 from fastapi import APIRouter, Depends, HTTPException, Query
 from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy import select, func, desc
+from sqlalchemy import select, func, desc, delete
 from pydantic import BaseModel
 from typing import Optional, List
 from datetime import datetime
@@ -75,6 +75,30 @@ class LapOut(BaseModel):
        from_attributes = True


+@router.get("/stats/ytd")
+async def ytd_stats(
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Return year-to-date distance totals grouped by sport type."""
+    from datetime import date, timezone
+    year_start = datetime(date.today().year, 1, 1, tzinfo=timezone.utc)
+    result = await db.execute(
+        select(Activity.sport_type, func.sum(Activity.distance_m).label("total_m"))
+        .where(Activity.user_id == current_user.id, Activity.start_time >= year_start)
+        .group_by(Activity.sport_type)
+    )
+    rows = result.all()
+    totals = {r.sport_type: (r.total_m or 0) / 1000 for r in rows}
+    return {
+        "running_km": round(totals.get("running", 0), 2),
+        "cycling_km": round(totals.get("cycling", 0), 2),
+        "hiking_km": round(totals.get("hiking", 0), 2),
+        "walking_km": round(totals.get("walking", 0), 2),
+        "total_km": round(sum(totals.values()), 2),
+    }
+
+
@router.get("/", response_model=List[ActivitySummary])
 async def list_activities(
    page: int = Query(1, ge=1),
@@ -126,7 +150,6 @@ async def get_data_points(
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
 ):
-    # Verify ownership
    act = await db.execute(
        select(Activity).where(
            Activity.id == activity_id,
@@ -211,3 +234,38 @@ async def delete_activity(
        raise HTTPException(status_code=404, detail="Activity not found")
    await db.delete(activity)
    await db.commit()
+
+
+@router.post("/{activity_id}/reprocess")
+async def reprocess_activity(
+    activity_id: int,
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Re-parse the source FIT file and update polyline, data points etc."""
+    import os
+    result = await db.execute(
+        select(Activity).where(
+            Activity.id == activity_id,
+            Activity.user_id == current_user.id,
+        )
+    )
+    activity = result.scalar_one_or_none()
+    if not activity:
+        raise HTTPException(status_code=404, detail="Activity not found")
+    if not activity.source_file:
+        raise HTTPException(status_code=400, detail="No source file stored for this activity")
+    if not os.path.exists(activity.source_file):
+        raise HTTPException(status_code=404, detail="Source file no longer exists on disk")
+
+    source_file = activity.source_file
+    source_type = activity.source_type or "fit"
+
+    await db.execute(delete(ActivityDataPoint).where(ActivityDataPoint.activity_id == activity_id))
+    await db.execute(delete(ActivityLap).where(ActivityLap.activity_id == activity_id))
+    await db.delete(activity)
+    await db.commit()
+
+    from app.workers.tasks import process_activity_file
+    task = process_activity_file.delay(source_file, current_user.id, source_type)
+    return {"task_id": task.id, "status": "queued"}