"""SQLite data layer for bincio-auth. Schema ------ users — registered accounts (handle, hashed password, access flags) sessions — active login sessions (opaque token → handle, expiry) invites — invite codes (who created, who used, grants_activity flag) reset_codes — password reset tokens (admin-issued, 24 h TTL) email_reset_tokens — self-service password reset tokens (emailed, 1 h TTL) settings — instance-wide key/value config user_prefs — per-user key/value preferences All timestamps are Unix integers (UTC). Passwords are hashed with bcrypt. Sessions are opaque random tokens stored here; JWTs are issued separately by tokens.py and validated locally by consumers without a DB round-trip. """ from __future__ import annotations import secrets import sqlite3 import time from dataclasses import dataclass from pathlib import Path import bcrypt _SCHEMA = """ CREATE TABLE IF NOT EXISTS users ( handle TEXT PRIMARY KEY, display_name TEXT NOT NULL DEFAULT '', password_hash TEXT NOT NULL, is_admin INTEGER NOT NULL DEFAULT 0, wiki_access INTEGER NOT NULL DEFAULT 1, activity_access INTEGER NOT NULL DEFAULT 0, suspended INTEGER NOT NULL DEFAULT 0, created_at INTEGER NOT NULL ); CREATE TABLE IF NOT EXISTS sessions ( token TEXT PRIMARY KEY, handle TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, created_at INTEGER NOT NULL, expires_at INTEGER NOT NULL ); CREATE TABLE IF NOT EXISTS invites ( code TEXT PRIMARY KEY, created_by TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, used_by TEXT REFERENCES users(handle) ON DELETE SET NULL, created_at INTEGER NOT NULL, used_at INTEGER, grants_activity INTEGER NOT NULL DEFAULT 0 ); CREATE TABLE IF NOT EXISTS reset_codes ( code TEXT PRIMARY KEY, handle TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, created_by TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, created_at INTEGER NOT NULL, expires_at INTEGER NOT NULL, used_at INTEGER ); CREATE TABLE IF NOT EXISTS settings ( key TEXT PRIMARY KEY, value TEXT NOT NULL ); CREATE TABLE IF NOT EXISTS user_prefs ( handle TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, key TEXT NOT NULL, value TEXT NOT NULL, PRIMARY KEY (handle, key) ); CREATE TABLE IF NOT EXISTS oauth2_clients ( client_id TEXT PRIMARY KEY, client_secret TEXT, name TEXT NOT NULL, redirect_uris TEXT NOT NULL, scopes TEXT NOT NULL DEFAULT 'openid profile', created_at INTEGER NOT NULL ); CREATE TABLE IF NOT EXISTS oauth2_codes ( code TEXT PRIMARY KEY, client_id TEXT NOT NULL, handle TEXT NOT NULL, redirect_uri TEXT NOT NULL, scope TEXT NOT NULL, nonce TEXT, code_challenge TEXT, code_challenge_method TEXT, created_at INTEGER NOT NULL, expires_at INTEGER NOT NULL, used_at INTEGER ); CREATE TABLE IF NOT EXISTS email_reset_tokens ( token TEXT PRIMARY KEY, handle TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE, created_at INTEGER NOT NULL, expires_at INTEGER NOT NULL, used_at INTEGER ); CREATE INDEX IF NOT EXISTS sessions_handle ON sessions(handle); CREATE INDEX IF NOT EXISTS invites_created_by ON invites(created_by); CREATE INDEX IF NOT EXISTS reset_codes_handle ON reset_codes(handle); CREATE INDEX IF NOT EXISTS oauth2_codes_client ON oauth2_codes(client_id); CREATE INDEX IF NOT EXISTS user_prefs_handle ON user_prefs(handle); CREATE INDEX IF NOT EXISTS email_reset_tokens_handle ON email_reset_tokens(handle); """ _SESSION_DAYS = 30 _INVITE_LENGTH = 8 _RESET_CODE_TTL_S = 24 * 3600 # 24 hours _EMAIL_RESET_TTL_S = 3600 # 1 hour # ── Data classes ────────────────────────────────────────────────────────────── @dataclass class User: handle: str display_name: str is_admin: bool wiki_access: bool activity_access: bool suspended: bool created_at: int @dataclass class Invite: code: str created_by: str used_by: str | None created_at: int used_at: int | None grants_activity: bool = False @property def used(self) -> bool: return self.used_by is not None # ── Connection ──────────────────────────────────────────────────────────────── def open_db(data_dir: Path) -> sqlite3.Connection: """Open (and if needed create) the instance database.""" db = sqlite3.connect(data_dir / "instance.db", check_same_thread=False) db.row_factory = sqlite3.Row db.execute("PRAGMA journal_mode=WAL") db.execute("PRAGMA foreign_keys=ON") db.executescript(_SCHEMA) cols = {r[1] for r in db.execute("PRAGMA table_info(users)")} if "suspended" not in cols: db.execute("ALTER TABLE users ADD COLUMN suspended INTEGER NOT NULL DEFAULT 0") if "email" not in cols: db.execute("ALTER TABLE users ADD COLUMN email TEXT DEFAULT NULL") db.commit() return db # ── Users ───────────────────────────────────────────────────────────────────── def create_user( db: sqlite3.Connection, handle: str, display_name: str, password: str, is_admin: bool = False, wiki_access: bool = True, activity_access: bool = False, ) -> User: password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode() now = int(time.time()) db.execute( "INSERT INTO users (handle, display_name, password_hash, is_admin, " "wiki_access, activity_access, created_at) VALUES (?, ?, ?, ?, ?, ?, ?)", (handle, display_name, password_hash, int(is_admin), int(wiki_access), int(activity_access), now), ) db.commit() return User(handle=handle, display_name=display_name, is_admin=is_admin, wiki_access=wiki_access, activity_access=activity_access, suspended=False, created_at=now) def get_user(db: sqlite3.Connection, handle: str) -> User | None: row = db.execute("SELECT * FROM users WHERE handle = ?", (handle,)).fetchone() if not row: return None return User( handle=row["handle"], display_name=row["display_name"], is_admin=bool(row["is_admin"]), wiki_access=bool(row["wiki_access"]), activity_access=bool(row["activity_access"]), suspended=bool(row["suspended"]), created_at=row["created_at"], ) def authenticate(db: sqlite3.Connection, handle: str, password: str) -> User | None: """Return the User if credentials are valid and account is not suspended, else None.""" row = db.execute( "SELECT * FROM users WHERE handle = ?", (handle,) ).fetchone() if not row: return None if not bcrypt.checkpw(password.encode(), row["password_hash"].encode()): return None if row["suspended"]: return None return User( handle=row["handle"], display_name=row["display_name"], is_admin=bool(row["is_admin"]), wiki_access=bool(row["wiki_access"]), activity_access=bool(row["activity_access"]), suspended=False, created_at=row["created_at"], ) def change_password(db: sqlite3.Connection, handle: str, new_password: str) -> None: """Replace the password hash for a user.""" new_hash = bcrypt.hashpw(new_password.encode(), bcrypt.gensalt()).decode() db.execute("UPDATE users SET password_hash = ? WHERE handle = ?", (new_hash, handle)) db.commit() def list_users(db: sqlite3.Connection) -> list[User]: rows = db.execute("SELECT * FROM users ORDER BY created_at").fetchall() return [User(handle=r["handle"], display_name=r["display_name"], is_admin=bool(r["is_admin"]), wiki_access=bool(r["wiki_access"]), activity_access=bool(r["activity_access"]), suspended=bool(r["suspended"]), created_at=r["created_at"]) for r in rows] def delete_user(db: sqlite3.Connection, handle: str) -> None: db.execute("DELETE FROM users WHERE handle = ?", (handle,)) db.commit() def set_suspended(db: sqlite3.Connection, handle: str, suspended: bool) -> None: db.execute("UPDATE users SET suspended = ? WHERE handle = ?", (int(suspended), handle)) db.commit() def get_member_tree(db: sqlite3.Connection) -> list[dict]: """Return users with their inviter handle and join timestamp. Each entry: {handle, display_name, created_at, invited_by (handle or None)}. Ordered oldest-first so callers can build the tree top-down. """ users = {r["handle"]: r for r in db.execute( "SELECT handle, display_name, created_at FROM users ORDER BY created_at" ).fetchall()} # Map invitee → inviter from the used invites invited_by: dict[str, str] = {} for row in db.execute( "SELECT created_by, used_by FROM invites WHERE used_by IS NOT NULL" ).fetchall(): invited_by[row["used_by"]] = row["created_by"] return [ { "handle": r["handle"], "display_name": r["display_name"], "created_at": r["created_at"], "invited_by": invited_by.get(r["handle"]), } for r in users.values() ] def count_users(db: sqlite3.Connection) -> int: """Return the total number of registered users.""" row = db.execute("SELECT COUNT(*) FROM users").fetchone() return row[0] if row else 0 def count_wiki_users(db: sqlite3.Connection) -> int: row = db.execute("SELECT COUNT(*) FROM users WHERE wiki_access = 1").fetchone() return row[0] if row else 0 def count_activity_users(db: sqlite3.Connection) -> int: row = db.execute("SELECT COUNT(*) FROM users WHERE activity_access = 1").fetchone() return row[0] if row else 0 # ── Settings ────────────────────────────────────────────────────────────────── def get_setting(db: sqlite3.Connection, key: str) -> str | None: row = db.execute("SELECT value FROM settings WHERE key = ?", (key,)).fetchone() return row["value"] if row else None def set_setting(db: sqlite3.Connection, key: str, value: str) -> None: db.execute( "INSERT INTO settings (key, value) VALUES (?, ?) " "ON CONFLICT(key) DO UPDATE SET value = excluded.value", (key, value), ) db.commit() # ── Sessions ────────────────────────────────────────────────────────────────── def create_session(db: sqlite3.Connection, handle: str) -> str: """Create a session token for the given user. Returns the token.""" token = secrets.token_hex(32) now = int(time.time()) expires_at = now + _SESSION_DAYS * 86400 db.execute( "INSERT INTO sessions (token, handle, created_at, expires_at) VALUES (?, ?, ?, ?)", (token, handle, now, expires_at), ) db.commit() return token def get_session(db: sqlite3.Connection, token: str) -> User | None: """Return the User owning this session, or None if expired/invalid/suspended.""" row = db.execute( "SELECT s.handle, s.expires_at, u.display_name, u.is_admin, " "u.wiki_access, u.activity_access, u.suspended, u.created_at " "FROM sessions s JOIN users u ON s.handle = u.handle " "WHERE s.token = ?", (token,), ).fetchone() if not row: return None if row["expires_at"] < int(time.time()): delete_session(db, token) return None if row["suspended"]: return None return User( handle=row["handle"], display_name=row["display_name"], is_admin=bool(row["is_admin"]), wiki_access=bool(row["wiki_access"]), activity_access=bool(row["activity_access"]), suspended=False, created_at=row["created_at"], ) def delete_session(db: sqlite3.Connection, token: str) -> None: db.execute("DELETE FROM sessions WHERE token = ?", (token,)) db.commit() def purge_expired_sessions(db: sqlite3.Connection) -> int: cur = db.execute("DELETE FROM sessions WHERE expires_at < ?", (int(time.time()),)) db.commit() return cur.rowcount # ── Invites ─────────────────────────────────────────────────────────────────── _MAX_USER_INVITES = 3 # regular users; admins are unlimited def create_invite( db: sqlite3.Connection, created_by: str, grants_activity: bool = False, ) -> str: """Generate an invite code. Raises ValueError if limits are exceeded.""" user = get_user(db, created_by) if not user: raise ValueError("Unknown user") if grants_activity and not user.activity_access and not user.is_admin: raise ValueError("Cannot grant activity access you don't have") if not user.is_admin: count = db.execute( "SELECT COUNT(*) FROM invites WHERE created_by = ?", (created_by,) ).fetchone()[0] if count >= _MAX_USER_INVITES: raise ValueError(f"Invite limit reached ({_MAX_USER_INVITES})") code = secrets.token_urlsafe(_INVITE_LENGTH)[:_INVITE_LENGTH].upper() db.execute( "INSERT INTO invites (code, created_by, created_at, grants_activity) " "VALUES (?, ?, ?, ?)", (code, created_by, int(time.time()), int(grants_activity)), ) db.commit() return code def use_invite(db: sqlite3.Connection, code: str, handle: str) -> bool: """Mark an invite as used. Returns False if the code is invalid or already used.""" row = db.execute( "SELECT used_by FROM invites WHERE code = ?", (code,) ).fetchone() if not row or row["used_by"] is not None: return False db.execute( "UPDATE invites SET used_by = ?, used_at = ? WHERE code = ?", (handle, int(time.time()), code), ) db.commit() return True def list_invites(db: sqlite3.Connection, handle: str) -> list[Invite]: rows = db.execute( "SELECT * FROM invites WHERE created_by = ? ORDER BY created_at DESC", (handle,), ).fetchall() return [ Invite( code=r["code"], created_by=r["created_by"], used_by=r["used_by"], created_at=r["created_at"], used_at=r["used_at"], grants_activity=bool(r["grants_activity"]), ) for r in rows ] def get_invite(db: sqlite3.Connection, code: str) -> Invite | None: row = db.execute("SELECT * FROM invites WHERE code = ?", (code,)).fetchone() if not row: return None return Invite( code=row["code"], created_by=row["created_by"], used_by=row["used_by"], created_at=row["created_at"], used_at=row["used_at"], grants_activity=bool(row["grants_activity"]), ) # ── Password reset codes ────────────────────────────────────────────────────── def create_reset_code(db: sqlite3.Connection, handle: str, created_by: str) -> str: """Generate a password reset code for a user (admin only, out-of-band delivery). Any previous unused codes for this handle are invalidated first. Returns the new code. """ now = int(time.time()) # Invalidate existing unused codes for this handle db.execute( "DELETE FROM reset_codes WHERE handle = ? AND used_at IS NULL", (handle,), ) code = secrets.token_urlsafe(_INVITE_LENGTH)[:_INVITE_LENGTH].upper() db.execute( "INSERT INTO reset_codes (code, handle, created_by, created_at, expires_at) " "VALUES (?, ?, ?, ?, ?)", (code, handle, created_by, now, now + _RESET_CODE_TTL_S), ) db.commit() return code # ── User preferences ───────────────────────────────────────────────────────── def get_user_prefs(db: sqlite3.Connection, handle: str) -> dict[str, str]: """Return all preferences for a user as a plain dict.""" rows = db.execute( "SELECT key, value FROM user_prefs WHERE handle = ?", (handle,) ).fetchall() return {r["key"]: r["value"] for r in rows} def set_user_pref(db: sqlite3.Connection, handle: str, key: str, value: str) -> None: db.execute( "INSERT INTO user_prefs (handle, key, value) VALUES (?, ?, ?) " "ON CONFLICT(handle, key) DO UPDATE SET value = excluded.value", (handle, key, value), ) db.commit() def set_user_prefs(db: sqlite3.Connection, handle: str, prefs: dict[str, str]) -> None: """Bulk-upsert multiple preferences for a user.""" for key, value in prefs.items(): db.execute( "INSERT INTO user_prefs (handle, key, value) VALUES (?, ?, ?) " "ON CONFLICT(handle, key) DO UPDATE SET value = excluded.value", (handle, key, value), ) db.commit() def use_reset_code(db: sqlite3.Connection, code: str, handle: str) -> bool: """Validate a reset code for the given handle and mark it used. Returns False if the code is invalid, already used, expired, or belongs to a different handle. """ now = int(time.time()) row = db.execute( "SELECT handle, expires_at, used_at FROM reset_codes WHERE code = ?", (code,), ).fetchone() if not row: return False if row["handle"] != handle: return False if row["used_at"] is not None: return False if row["expires_at"] < now: return False db.execute( "UPDATE reset_codes SET used_at = ? WHERE code = ?", (now, code), ) db.commit() return True # ── User email ─────────────────────────────────────────────────────────────── def get_user_by_email(db: sqlite3.Connection, email: str) -> User | None: row = db.execute( "SELECT * FROM users WHERE lower(email) = lower(?)", (email,) ).fetchone() if not row: return None return User( handle=row["handle"], display_name=row["display_name"], is_admin=bool(row["is_admin"]), wiki_access=bool(row["wiki_access"]), activity_access=bool(row["activity_access"]), suspended=bool(row["suspended"]), created_at=row["created_at"], ) def set_user_email(db: sqlite3.Connection, handle: str, email: str | None) -> None: db.execute("UPDATE users SET email = ? WHERE handle = ?", (email, handle)) db.commit() def get_user_email(db: sqlite3.Connection, handle: str) -> str | None: row = db.execute("SELECT email FROM users WHERE handle = ?", (handle,)).fetchone() return row["email"] if row else None # ── Email reset tokens ──────────────────────────────────────────────────────── def create_email_reset_token(db: sqlite3.Connection, handle: str) -> str: now = int(time.time()) db.execute("DELETE FROM email_reset_tokens WHERE handle = ? AND used_at IS NULL", (handle,)) token = secrets.token_urlsafe(32) db.execute( "INSERT INTO email_reset_tokens (token, handle, created_at, expires_at) VALUES (?, ?, ?, ?)", (token, handle, now, now + _EMAIL_RESET_TTL_S), ) db.commit() return token def get_email_reset_token(db: sqlite3.Connection, token: str) -> dict | None: row = db.execute("SELECT * FROM email_reset_tokens WHERE token = ?", (token,)).fetchone() return dict(row) if row else None def use_email_reset_token(db: sqlite3.Connection, token: str) -> None: db.execute("UPDATE email_reset_tokens SET used_at = ? WHERE token = ?", (int(time.time()), token)) db.commit() # ── OAuth2 clients ──────────────────────────────────────────────────────────── import json as _json def get_oauth2_client(db: sqlite3.Connection, client_id: str) -> dict | None: row = db.execute( "SELECT client_id, client_secret, name, redirect_uris, scopes FROM oauth2_clients WHERE client_id = ?", (client_id,), ).fetchone() if not row: return None return { "client_id": row["client_id"], "client_secret": row["client_secret"], "name": row["name"], "redirect_uris": _json.loads(row["redirect_uris"]), "scopes": row["scopes"], } def upsert_oauth2_client( db: sqlite3.Connection, client_id: str, client_secret: str | None, name: str, redirect_uris: list[str], scopes: str = "openid profile", ) -> None: db.execute( "INSERT INTO oauth2_clients (client_id, client_secret, name, redirect_uris, scopes, created_at) " "VALUES (?, ?, ?, ?, ?, ?) " "ON CONFLICT(client_id) DO UPDATE SET " "client_secret=excluded.client_secret, name=excluded.name, " "redirect_uris=excluded.redirect_uris, scopes=excluded.scopes", (client_id, client_secret, name, _json.dumps(redirect_uris), scopes, int(time.time())), ) db.commit() # ── OAuth2 authorization codes ──────────────────────────────────────────────── _CODE_TTL = 300 # 5 minutes def create_oauth2_code( db: sqlite3.Connection, client_id: str, handle: str, redirect_uri: str, scope: str, nonce: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, ) -> str: code = secrets.token_urlsafe(32) now = int(time.time()) db.execute( "INSERT INTO oauth2_codes " "(code, client_id, handle, redirect_uri, scope, nonce, code_challenge, code_challenge_method, created_at, expires_at) " "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", (code, client_id, handle, redirect_uri, scope, nonce, code_challenge, code_challenge_method, now, now + _CODE_TTL), ) db.commit() return code def get_oauth2_code(db: sqlite3.Connection, code: str) -> dict | None: row = db.execute("SELECT * FROM oauth2_codes WHERE code = ?", (code,)).fetchone() if not row: return None return dict(row) def use_oauth2_code(db: sqlite3.Connection, code: str) -> None: db.execute("UPDATE oauth2_codes SET used_at = ? WHERE code = ?", (int(time.time()), code)) db.commit()