Multi-user via PocketID: account linking, group gating, admin user management

PocketID OIDC already auto-provisioned users keyed by pocketid_sub, and the
data layer was already fully user-scoped. This adds the missing pieces for
running real multi-user:

- auth.py callback: link by email to an existing un-linked account (so the
  admin keeps their data when first signing in by passkey), collision-safe
  username generation, and request the `groups` scope.
- Group gating: optional pocketid_allowed_group (admin-config or
  POCKETID_ALLOWED_GROUP env); users lacking the group are rejected at the
  callback and redirected to /login?auth_error=not_authorized.
- New admin users API (app/api/users.py): list users, promote/demote admin
  (guards against demoting/locking out the last admin or yourself), and delete
  a user with ordered bulk deletes of all their data + on-disk files.
- ProfilePage: allowed-group field; LoginPage: rejected-login message;
  Layout: admin-only Users nav; new UsersPage.

Resync milevault_export to current source (it had drifted many features behind
— missing garmin_sync, npm-ci Dockerfile and @polyline-codec that broke its own
CI) and add POCKETID_ALLOWED_GROUP to .env.example.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

milevault_export/backend/app/api/garmin_sync.py

@@ -0,0 +1,160 @@
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from pydantic import BaseModel
+from typing import Optional
+from datetime import datetime
+
+from app.core.database import get_db
+from app.core.security import get_current_user
+from app.models.user import User, GarminConnectConfig
+
+router = APIRouter()
+
+
+class GarminConfigIn(BaseModel):
+    email: str
+    password: Optional[str] = None       # plaintext; encrypted before storage. None = keep existing.
+    sync_enabled: bool = True
+    sync_activities: bool = True
+    sync_wellness: bool = True
+    sync_lookback_days: int = 30         # days to look back on first sync; -1 = all-time
+
+
+class GarminConfigOut(BaseModel):
+    email: str
+    sync_enabled: bool
+    sync_activities: bool
+    sync_wellness: bool
+    sync_lookback_days: int
+    last_sync_at: Optional[datetime]
+    last_sync_status: Optional[str]
+    connected: bool
+
+    class Config:
+        from_attributes = True
+
+
+@router.get("/config", response_model=GarminConfigOut)
+async def get_config(
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    result = await db.execute(
+        select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
+    )
+    cfg = result.scalar_one_or_none()
+    if not cfg:
+        return GarminConfigOut(
+            email="", sync_enabled=False, sync_activities=True,
+            sync_wellness=True, sync_lookback_days=30,
+            last_sync_at=None, last_sync_status=None, connected=False,
+        )
+    return GarminConfigOut(
+        email=cfg.email,
+        sync_enabled=cfg.sync_enabled,
+        sync_activities=cfg.sync_activities,
+        sync_wellness=cfg.sync_wellness,
+        sync_lookback_days=cfg.sync_lookback_days if cfg.sync_lookback_days is not None else 30,
+        last_sync_at=cfg.last_sync_at,
+        last_sync_status=cfg.last_sync_status,
+        connected=True,
+    )
+
+
+@router.put("/config", response_model=GarminConfigOut)
+async def save_config(
+    body: GarminConfigIn,
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Save Garmin Connect settings. If a password is provided, re-authenticates and
+    refreshes the stored OAuth token. If no password is provided, only updates the
+    non-credential settings (toggles, lookback days) without re-logging in.
+    """
+    from app.services.garmin_connect_sync import encrypt_password, authenticate_garmin
+
+    result = await db.execute(
+        select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
+    )
+    cfg = result.scalar_one_or_none()
+
+    if body.password:
+        # Credentials update — test-login before saving
+        enc = encrypt_password(body.password)
+        try:
+            garmin, token_store = authenticate_garmin(body.email, enc, None)
+        except Exception as exc:
+            raise HTTPException(status_code=400, detail=f"Garmin login failed: {exc}")
+
+        if cfg:
+            cfg.email = body.email
+            cfg.password_enc = enc
+            cfg.token_store = token_store
+            cfg.last_sync_status = "Credentials updated"
+        else:
+            cfg = GarminConnectConfig(
+                user_id=current_user.id,
+                email=body.email,
+                password_enc=enc,
+                token_store=token_store,
+                last_sync_status="Connected",
+            )
+            db.add(cfg)
+    else:
+        # Settings-only update — password unchanged
+        if not cfg:
+            raise HTTPException(status_code=400, detail="No Garmin account connected — password required for first-time setup")
+
+    cfg.sync_enabled = body.sync_enabled
+    cfg.sync_activities = body.sync_activities
+    cfg.sync_wellness = body.sync_wellness
+    cfg.sync_lookback_days = body.sync_lookback_days
+
+    await db.commit()
+    await db.refresh(cfg)
+
+    return GarminConfigOut(
+        email=cfg.email,
+        sync_enabled=cfg.sync_enabled,
+        sync_activities=cfg.sync_activities,
+        sync_wellness=cfg.sync_wellness,
+        sync_lookback_days=cfg.sync_lookback_days if cfg.sync_lookback_days is not None else 30,
+        last_sync_at=cfg.last_sync_at,
+        last_sync_status=cfg.last_sync_status,
+        connected=True,
+    )
+
+
+@router.delete("/config")
+async def delete_config(
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    result = await db.execute(
+        select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
+    )
+    cfg = result.scalar_one_or_none()
+    if cfg:
+        await db.delete(cfg)
+        await db.commit()
+    return {"status": "ok"}
+
+
+@router.post("/trigger")
+async def trigger_sync(
+    current_user: User = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+):
+    """Enqueue an immediate Garmin Connect sync for this user."""
+    result = await db.execute(
+        select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
+    )
+    cfg = result.scalar_one_or_none()
+    if not cfg or not cfg.sync_enabled:
+        raise HTTPException(status_code=400, detail="Garmin Connect sync is not configured or disabled")
+
+    from app.workers.tasks import sync_garmin_connect_user
+    task = sync_garmin_connect_user.delay(current_user.id)
+    return {"task_id": task.id, "status": "queued"}