owain
0e4bc7b444
PocketID OIDC already auto-provisioned users keyed by pocketid_sub, and the data layer was already fully user-scoped. This adds the missing pieces for running real multi-user: - auth.py callback: link by email to an existing un-linked account (so the admin keeps their data when first signing in by passkey), collision-safe username generation, and request the `groups` scope. - Group gating: optional pocketid_allowed_group (admin-config or POCKETID_ALLOWED_GROUP env); users lacking the group are rejected at the callback and redirected to /login?auth_error=not_authorized. - New admin users API (app/api/users.py): list users, promote/demote admin (guards against demoting/locking out the last admin or yourself), and delete a user with ordered bulk deletes of all their data + on-disk files. - ProfilePage: allowed-group field; LoginPage: rejected-login message; Layout: admin-only Users nav; new UsersPage. Resync milevault_export to current source (it had drifted many features behind — missing garmin_sync, npm-ci Dockerfile and @polyline-codec that broke its own CI) and add POCKETID_ALLOWED_GROUP to .env.example. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
161 lines
5.3 KiB
Python
161 lines
5.3 KiB
Python
from fastapi import APIRouter, Depends, HTTPException
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
from sqlalchemy import select
|
|
from pydantic import BaseModel
|
|
from typing import Optional
|
|
from datetime import datetime
|
|
|
|
from app.core.database import get_db
|
|
from app.core.security import get_current_user
|
|
from app.models.user import User, GarminConnectConfig
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
class GarminConfigIn(BaseModel):
|
|
email: str
|
|
password: Optional[str] = None # plaintext; encrypted before storage. None = keep existing.
|
|
sync_enabled: bool = True
|
|
sync_activities: bool = True
|
|
sync_wellness: bool = True
|
|
sync_lookback_days: int = 30 # days to look back on first sync; -1 = all-time
|
|
|
|
|
|
class GarminConfigOut(BaseModel):
|
|
email: str
|
|
sync_enabled: bool
|
|
sync_activities: bool
|
|
sync_wellness: bool
|
|
sync_lookback_days: int
|
|
last_sync_at: Optional[datetime]
|
|
last_sync_status: Optional[str]
|
|
connected: bool
|
|
|
|
class Config:
|
|
from_attributes = True
|
|
|
|
|
|
@router.get("/config", response_model=GarminConfigOut)
|
|
async def get_config(
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
result = await db.execute(
|
|
select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
|
|
)
|
|
cfg = result.scalar_one_or_none()
|
|
if not cfg:
|
|
return GarminConfigOut(
|
|
email="", sync_enabled=False, sync_activities=True,
|
|
sync_wellness=True, sync_lookback_days=30,
|
|
last_sync_at=None, last_sync_status=None, connected=False,
|
|
)
|
|
return GarminConfigOut(
|
|
email=cfg.email,
|
|
sync_enabled=cfg.sync_enabled,
|
|
sync_activities=cfg.sync_activities,
|
|
sync_wellness=cfg.sync_wellness,
|
|
sync_lookback_days=cfg.sync_lookback_days if cfg.sync_lookback_days is not None else 30,
|
|
last_sync_at=cfg.last_sync_at,
|
|
last_sync_status=cfg.last_sync_status,
|
|
connected=True,
|
|
)
|
|
|
|
|
|
@router.put("/config", response_model=GarminConfigOut)
|
|
async def save_config(
|
|
body: GarminConfigIn,
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
"""
|
|
Save Garmin Connect settings. If a password is provided, re-authenticates and
|
|
refreshes the stored OAuth token. If no password is provided, only updates the
|
|
non-credential settings (toggles, lookback days) without re-logging in.
|
|
"""
|
|
from app.services.garmin_connect_sync import encrypt_password, authenticate_garmin
|
|
|
|
result = await db.execute(
|
|
select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
|
|
)
|
|
cfg = result.scalar_one_or_none()
|
|
|
|
if body.password:
|
|
# Credentials update — test-login before saving
|
|
enc = encrypt_password(body.password)
|
|
try:
|
|
garmin, token_store = authenticate_garmin(body.email, enc, None)
|
|
except Exception as exc:
|
|
raise HTTPException(status_code=400, detail=f"Garmin login failed: {exc}")
|
|
|
|
if cfg:
|
|
cfg.email = body.email
|
|
cfg.password_enc = enc
|
|
cfg.token_store = token_store
|
|
cfg.last_sync_status = "Credentials updated"
|
|
else:
|
|
cfg = GarminConnectConfig(
|
|
user_id=current_user.id,
|
|
email=body.email,
|
|
password_enc=enc,
|
|
token_store=token_store,
|
|
last_sync_status="Connected",
|
|
)
|
|
db.add(cfg)
|
|
else:
|
|
# Settings-only update — password unchanged
|
|
if not cfg:
|
|
raise HTTPException(status_code=400, detail="No Garmin account connected — password required for first-time setup")
|
|
|
|
cfg.sync_enabled = body.sync_enabled
|
|
cfg.sync_activities = body.sync_activities
|
|
cfg.sync_wellness = body.sync_wellness
|
|
cfg.sync_lookback_days = body.sync_lookback_days
|
|
|
|
await db.commit()
|
|
await db.refresh(cfg)
|
|
|
|
return GarminConfigOut(
|
|
email=cfg.email,
|
|
sync_enabled=cfg.sync_enabled,
|
|
sync_activities=cfg.sync_activities,
|
|
sync_wellness=cfg.sync_wellness,
|
|
sync_lookback_days=cfg.sync_lookback_days if cfg.sync_lookback_days is not None else 30,
|
|
last_sync_at=cfg.last_sync_at,
|
|
last_sync_status=cfg.last_sync_status,
|
|
connected=True,
|
|
)
|
|
|
|
|
|
@router.delete("/config")
|
|
async def delete_config(
|
|
db: AsyncSession = Depends(get_db),
|
|
current_user: User = Depends(get_current_user),
|
|
):
|
|
result = await db.execute(
|
|
select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
|
|
)
|
|
cfg = result.scalar_one_or_none()
|
|
if cfg:
|
|
await db.delete(cfg)
|
|
await db.commit()
|
|
return {"status": "ok"}
|
|
|
|
|
|
@router.post("/trigger")
|
|
async def trigger_sync(
|
|
current_user: User = Depends(get_current_user),
|
|
db: AsyncSession = Depends(get_db),
|
|
):
|
|
"""Enqueue an immediate Garmin Connect sync for this user."""
|
|
result = await db.execute(
|
|
select(GarminConnectConfig).where(GarminConnectConfig.user_id == current_user.id)
|
|
)
|
|
cfg = result.scalar_one_or_none()
|
|
if not cfg or not cfg.sync_enabled:
|
|
raise HTTPException(status_code=400, detail="Garmin Connect sync is not configured or disabled")
|
|
|
|
from app.workers.tasks import sync_garmin_connect_user
|
|
task = sync_garmin_connect_user.delay(current_user.id)
|
|
return {"task_id": task.id, "status": "queued"}
|