All tweaks added

milevault_export/backend/app/core/config.py

@@ -0,0 +1,39 @@
+from pydantic_settings import BaseSettings
+from pydantic import Field
+from typing import Optional
+
+
+class Settings(BaseSettings):
+    # Database
+    database_url: str = Field(..., env="DATABASE_URL")
+
+    # Redis
+    redis_url: str = Field("redis://localhost:6379/0", env="REDIS_URL")
+
+    # Auth
+    secret_key: str = Field(..., env="SECRET_KEY")
+    algorithm: str = "HS256"
+    access_token_expire_minutes: int = 60 * 24 * 7  # 7 days
+
+    # Admin account - optional so the worker (which doesn't seed users) can start
+    # without it. The backend service checks this at seed time.
+    admin_username: str = Field("admin", env="ADMIN_USERNAME")
+    admin_password: Optional[str] = Field(None, env="ADMIN_PASSWORD")
+
+    # PocketID OIDC (optional)
+    pocketid_issuer: Optional[str] = Field(None, env="POCKETID_ISSUER")
+    pocketid_client_id: Optional[str] = Field(None, env="POCKETID_CLIENT_ID")
+    pocketid_client_secret: Optional[str] = Field(None, env="POCKETID_CLIENT_SECRET")
+
+    # Files
+    file_store_path: str = Field("/data/files", env="FILE_STORE_PATH")
+
+    # Environment
+    environment: str = Field("production", env="ENVIRONMENT")
+
+    class Config:
+        env_file = ".env"
+        case_sensitive = False
+
+
+settings = Settings()

milevault_export/backend/app/core/database.py

@@ -0,0 +1,47 @@
+from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession, async_sessionmaker
+from sqlalchemy import create_engine
+from sqlalchemy.orm import DeclarativeBase, sessionmaker
+from app.core.config import settings
+
+# Async engine for FastAPI
+engine = create_async_engine(
+    settings.database_url,
+    echo=settings.environment == "development",
+    pool_size=10,
+    max_overflow=20,
+)
+
+AsyncSessionLocal = async_sessionmaker(
+    engine,
+    class_=AsyncSession,
+    expire_on_commit=False,
+)
+
+# Sync engine for Celery workers (Celery + asyncio don't mix well)
+# Convert async URL to sync: postgresql+asyncpg:// → postgresql+psycopg2://
+sync_url = settings.database_url.replace("postgresql+asyncpg://", "postgresql+psycopg2://")
+sync_engine = create_engine(
+    sync_url,
+    echo=False,
+    pool_size=5,
+    max_overflow=10,
+    pool_pre_ping=True,
+)
+
+SyncSessionLocal = sessionmaker(sync_engine, expire_on_commit=False)
+
+
+class Base(DeclarativeBase):
+    pass
+
+
+async def get_db():
+    async with AsyncSessionLocal() as session:
+        try:
+            yield session
+            await session.commit()
+        except Exception:
+            await session.rollback()
+            raise
+        finally:
+            await session.close()

milevault_export/backend/app/core/security.py

@@ -0,0 +1,55 @@
+from datetime import datetime, timedelta, timezone
+from typing import Optional
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from app.core.config import settings
+from app.core.database import get_db
+from app.models.user import User
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/auth/token")
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return pwd_context.verify(plain, hashed)
+
+
+def hash_password(password: str) -> str:
+    return pwd_context.hash(password)
+
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    to_encode = data.copy()
+    expire = datetime.now(timezone.utc) + (
+        expires_delta or timedelta(minutes=settings.access_token_expire_minutes)
+    )
+    to_encode["exp"] = expire
+    return jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
+
+
+async def get_current_user(
+    token: str = Depends(oauth2_scheme),
+    db: AsyncSession = Depends(get_db),
+) -> User:
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    try:
+        payload = jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
+        user_id: str = payload.get("sub")
+        if user_id is None:
+            raise credentials_exception
+    except JWTError:
+        raise credentials_exception
+
+    result = await db.execute(select(User).where(User.id == int(user_id)))
+    user = result.scalar_one_or_none()
+    if user is None:
+        raise credentials_exception
+    return user