Add invitation system, table of contents, actionable dashboard, and settings improvements
Invitation system (Phase 5.7): - invitation_tokens table (migration 0012) with SHA256-hashed tokens, 7-day expiry - Admin CRUD endpoints: POST/GET/DELETE /api/admin/invitations - Branded invitation email with registration link - /register-invite frontend view with token validation and account creation - Admin UI: invite form + pending invitations table with revoke - Configurable base URL setting for email links (replaces hardcoded Config.BASE_URL) Table of contents + markdown improvements (Phase 5.8): - TableOfContents component: sticky sidebar, heading parsing, smooth-scroll - Custom marked renderer adds id attributes to headings for anchor links - stripFirstLineTags() prevents leading #tags from rendering as headings - NoteViewerView/TaskViewerView flex layout with TOC sidebar (hidden ≤1200px) - Model catalog refresh: added llama3.2/3.3, gemma3, qwen3, phi4, deepseek-r1, qwen2.5-coder, dolphin3; added Reasoning category; removed discontinued models - Settings model section split into Installed/Available tabs Actionable dashboard (Phase 5.9): - due_before/due_after query params on /api/tasks (exclusive < / inclusive >=) - HomeView rewritten: overdue (red accent), due today, in progress, chats, notes - 5 parallel API calls via Promise.allSettled - Client-side done filtering and in-progress deduplication - Task sections hidden when empty; status toggle removes done tasks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -17,3 +17,4 @@ from fabledassistant.models.setting import Setting # noqa: E402, F401
|
||||
from fabledassistant.models.user import User # noqa: E402, F401
|
||||
from fabledassistant.models.app_log import AppLog # noqa: E402, F401
|
||||
from fabledassistant.models.password_reset import PasswordResetToken # noqa: E402, F401
|
||||
from fabledassistant.models.invitation import InvitationToken # noqa: E402, F401
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
from datetime import datetime, timezone
|
||||
|
||||
from sqlalchemy import Boolean, DateTime, ForeignKey, Index, Text
|
||||
from sqlalchemy.orm import Mapped, mapped_column
|
||||
|
||||
from fabledassistant.models import Base
|
||||
|
||||
|
||||
class InvitationToken(Base):
|
||||
__tablename__ = "invitation_tokens"
|
||||
|
||||
id: Mapped[int] = mapped_column(primary_key=True)
|
||||
email: Mapped[str] = mapped_column(Text, nullable=False)
|
||||
token_hash: Mapped[str] = mapped_column(Text, nullable=False, unique=True)
|
||||
invited_by: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
|
||||
expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
|
||||
used: Mapped[bool] = mapped_column(Boolean, default=False, nullable=False)
|
||||
created_at: Mapped[datetime] = mapped_column(
|
||||
DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
|
||||
)
|
||||
|
||||
__table_args__ = (
|
||||
Index("ix_invitation_tokens_token_hash", "token_hash"),
|
||||
Index("ix_invitation_tokens_email", "email"),
|
||||
)
|
||||
@@ -1,12 +1,16 @@
|
||||
import asyncio
|
||||
import json
|
||||
|
||||
from quart import Blueprint, Response, g, jsonify, request
|
||||
|
||||
from fabledassistant.auth import admin_required, login_required, get_current_user_id
|
||||
from fabledassistant.services.auth import (
|
||||
create_invitation,
|
||||
delete_user,
|
||||
is_registration_open,
|
||||
list_pending_invitations,
|
||||
list_users,
|
||||
revoke_invitation,
|
||||
set_registration_open,
|
||||
)
|
||||
from fabledassistant.services.backup import (
|
||||
@@ -14,9 +18,10 @@ from fabledassistant.services.backup import (
|
||||
export_user_backup,
|
||||
restore_full_backup,
|
||||
)
|
||||
from fabledassistant.services.email import SMTP_SETTING_KEYS, get_smtp_config, send_test_email
|
||||
from fabledassistant.services.email import SMTP_SETTING_KEYS, get_base_url, get_smtp_config, is_smtp_configured, send_test_email
|
||||
from fabledassistant.services.logging import get_logs, get_log_stats, log_audit
|
||||
from fabledassistant.services.settings import set_settings_batch
|
||||
from fabledassistant.services.notifications import send_invitation_email
|
||||
from fabledassistant.services.settings import set_setting, set_settings_batch
|
||||
|
||||
admin_bp = Blueprint("admin", __name__, url_prefix="/api/admin")
|
||||
|
||||
@@ -175,3 +180,81 @@ async def list_logs():
|
||||
async def log_stats():
|
||||
stats = await get_log_stats()
|
||||
return jsonify(stats)
|
||||
|
||||
|
||||
@admin_bp.route("/base-url", methods=["GET"])
|
||||
@admin_required
|
||||
async def get_base_url_setting():
|
||||
base_url = await get_base_url()
|
||||
return jsonify({"base_url": base_url})
|
||||
|
||||
|
||||
@admin_bp.route("/base-url", methods=["PUT"])
|
||||
@admin_required
|
||||
async def update_base_url():
|
||||
data = await request.get_json()
|
||||
url = (data.get("base_url") or "").strip().rstrip("/")
|
||||
uid = get_current_user_id()
|
||||
await set_setting(uid, "base_url", url)
|
||||
await log_audit("base_url_config", user_id=uid, username=g.user.username, ip_address=request.remote_addr, details={"base_url": url})
|
||||
return jsonify({"status": "ok"})
|
||||
|
||||
|
||||
@admin_bp.route("/invitations", methods=["POST"])
|
||||
@admin_required
|
||||
async def create_invite():
|
||||
data = await request.get_json()
|
||||
email = (data.get("email") or "").strip().lower()
|
||||
if not email:
|
||||
return jsonify({"error": "Email is required"}), 400
|
||||
|
||||
if not await is_smtp_configured():
|
||||
return jsonify({"error": "SMTP is not configured. Configure email settings first."}), 400
|
||||
|
||||
uid = get_current_user_id()
|
||||
raw_token = await create_invitation(email, uid)
|
||||
base_url = await get_base_url()
|
||||
invite_url = f"{base_url}/register-invite?token={raw_token}"
|
||||
asyncio.create_task(send_invitation_email(email, invite_url, g.user.username))
|
||||
await log_audit(
|
||||
"invitation_created",
|
||||
user_id=uid,
|
||||
username=g.user.username,
|
||||
ip_address=request.remote_addr,
|
||||
details={"invited_email": email},
|
||||
)
|
||||
return jsonify({"status": "ok"}), 201
|
||||
|
||||
|
||||
@admin_bp.route("/invitations", methods=["GET"])
|
||||
@admin_required
|
||||
async def get_invitations():
|
||||
invitations = await list_pending_invitations()
|
||||
return jsonify({
|
||||
"invitations": [
|
||||
{
|
||||
"id": inv.id,
|
||||
"email": inv.email,
|
||||
"created_at": inv.created_at.isoformat(),
|
||||
"expires_at": inv.expires_at.isoformat(),
|
||||
}
|
||||
for inv in invitations
|
||||
]
|
||||
})
|
||||
|
||||
|
||||
@admin_bp.route("/invitations/<int:invitation_id>", methods=["DELETE"])
|
||||
@admin_required
|
||||
async def delete_invitation(invitation_id: int):
|
||||
uid = get_current_user_id()
|
||||
revoked = await revoke_invitation(invitation_id)
|
||||
if not revoked:
|
||||
return jsonify({"error": "Invitation not found or already used"}), 404
|
||||
await log_audit(
|
||||
"invitation_revoked",
|
||||
user_id=uid,
|
||||
username=g.user.username,
|
||||
ip_address=request.remote_addr,
|
||||
details={"invitation_id": invitation_id},
|
||||
)
|
||||
return jsonify({"status": "ok"})
|
||||
|
||||
@@ -3,7 +3,6 @@ import asyncio
|
||||
from quart import Blueprint, g, jsonify, request, session
|
||||
|
||||
from fabledassistant.auth import login_required, get_current_user_id
|
||||
from fabledassistant.config import Config
|
||||
from fabledassistant.services.auth import (
|
||||
authenticate,
|
||||
change_password,
|
||||
@@ -14,7 +13,9 @@ from fabledassistant.services.auth import (
|
||||
get_user_by_username,
|
||||
get_user_count,
|
||||
is_registration_open,
|
||||
register_with_invitation,
|
||||
reset_password_with_token,
|
||||
validate_invitation_token,
|
||||
)
|
||||
from fabledassistant.services.logging import log_audit
|
||||
from fabledassistant.services.notifications import (
|
||||
@@ -22,7 +23,7 @@ from fabledassistant.services.notifications import (
|
||||
send_password_reset_email,
|
||||
send_password_reset_success_email,
|
||||
)
|
||||
from fabledassistant.services.email import is_smtp_configured
|
||||
from fabledassistant.services.email import get_base_url, is_smtp_configured
|
||||
|
||||
auth_bp = Blueprint("auth", __name__, url_prefix="/api/auth")
|
||||
|
||||
@@ -142,7 +143,8 @@ async def forgot_password():
|
||||
user = await get_user_by_email(email)
|
||||
if user and await is_smtp_configured():
|
||||
raw_token = await create_password_reset_token(user.id)
|
||||
reset_url = f"{Config.BASE_URL}/reset-password?token={raw_token}"
|
||||
base_url = await get_base_url()
|
||||
reset_url = f"{base_url}/reset-password?token={raw_token}"
|
||||
asyncio.create_task(send_password_reset_email(user.email, reset_url))
|
||||
await log_audit(
|
||||
"password_reset_requested",
|
||||
@@ -196,6 +198,46 @@ async def reset_password():
|
||||
return jsonify({"status": "ok"})
|
||||
|
||||
|
||||
@auth_bp.route("/invitation/<token>", methods=["GET"])
|
||||
async def check_invitation(token: str):
|
||||
invitation = await validate_invitation_token(token)
|
||||
if not invitation:
|
||||
return jsonify({"valid": False})
|
||||
return jsonify({"valid": True, "email": invitation.email})
|
||||
|
||||
|
||||
@auth_bp.route("/register-with-invite", methods=["POST"])
|
||||
async def register_with_invite():
|
||||
data = await request.get_json()
|
||||
raw_token = (data.get("token") or "").strip()
|
||||
username = (data.get("username") or "").strip()
|
||||
password = data.get("password") or ""
|
||||
|
||||
if not raw_token:
|
||||
return jsonify({"error": "Invitation token is required"}), 400
|
||||
if not username:
|
||||
return jsonify({"error": "Username is required"}), 400
|
||||
if len(password) < 8:
|
||||
return jsonify({"error": "Password must be at least 8 characters"}), 400
|
||||
|
||||
try:
|
||||
user = await register_with_invitation(raw_token, username, password)
|
||||
except Exception:
|
||||
return jsonify({"error": "Username already taken"}), 409
|
||||
|
||||
if not user:
|
||||
return jsonify({"error": "Invalid or expired invitation"}), 400
|
||||
|
||||
session["user_id"] = user.id
|
||||
await log_audit(
|
||||
"register_with_invite",
|
||||
user_id=user.id,
|
||||
username=user.username,
|
||||
ip_address=request.remote_addr,
|
||||
)
|
||||
return jsonify(user.to_dict()), 201
|
||||
|
||||
|
||||
@auth_bp.route("/status", methods=["GET"])
|
||||
async def status():
|
||||
count = await get_user_count()
|
||||
|
||||
@@ -29,6 +29,11 @@ async def list_tasks_route():
|
||||
limit = request.args.get("limit", 50, type=int)
|
||||
offset = request.args.get("offset", 0, type=int)
|
||||
|
||||
due_before_str = request.args.get("due_before")
|
||||
due_after_str = request.args.get("due_after")
|
||||
due_before = date.fromisoformat(due_before_str) if due_before_str else None
|
||||
due_after = date.fromisoformat(due_after_str) if due_after_str else None
|
||||
|
||||
tasks, total = await list_notes(
|
||||
uid,
|
||||
q=q,
|
||||
@@ -36,6 +41,8 @@ async def list_tasks_route():
|
||||
is_task=True,
|
||||
status=status,
|
||||
priority=priority,
|
||||
due_before=due_before,
|
||||
due_after=due_after,
|
||||
sort=sort,
|
||||
order=order,
|
||||
limit=limit,
|
||||
|
||||
@@ -9,6 +9,7 @@ from sqlalchemy import func, select, update
|
||||
from fabledassistant.models import async_session
|
||||
from fabledassistant.models.conversation import Conversation
|
||||
from fabledassistant.models.note import Note
|
||||
from fabledassistant.models.invitation import InvitationToken
|
||||
from fabledassistant.models.password_reset import PasswordResetToken
|
||||
from fabledassistant.models.setting import Setting
|
||||
from fabledassistant.models.user import User
|
||||
@@ -220,3 +221,99 @@ async def reset_password_with_token(raw_token: str, new_password: str) -> bool:
|
||||
|
||||
logger.info("Password reset via token for user %d (%s)", user.id, user.username)
|
||||
return True
|
||||
|
||||
|
||||
async def create_invitation(email: str, invited_by: int) -> str:
|
||||
"""Generate an invitation token. Returns the raw token (for the email link)."""
|
||||
raw_token = secrets.token_urlsafe(32)
|
||||
token_hash = hashlib.sha256(raw_token.encode()).hexdigest()
|
||||
expires_at = datetime.now(timezone.utc) + timedelta(days=7)
|
||||
|
||||
async with async_session() as session:
|
||||
# Invalidate previous unused invitations for same email
|
||||
result = await session.execute(
|
||||
select(InvitationToken).where(
|
||||
func.lower(InvitationToken.email) == email.lower(),
|
||||
InvitationToken.used.is_(False),
|
||||
)
|
||||
)
|
||||
for old_token in result.scalars().all():
|
||||
old_token.used = True
|
||||
|
||||
token = InvitationToken(
|
||||
email=email.lower(),
|
||||
token_hash=token_hash,
|
||||
invited_by=invited_by,
|
||||
expires_at=expires_at,
|
||||
)
|
||||
session.add(token)
|
||||
await session.commit()
|
||||
|
||||
logger.info("Invitation created for %s by user %d", email, invited_by)
|
||||
return raw_token
|
||||
|
||||
|
||||
async def validate_invitation_token(raw_token: str) -> InvitationToken | None:
|
||||
"""Look up by hash, check not used/expired. Returns the token record with email."""
|
||||
token_hash = hashlib.sha256(raw_token.encode()).hexdigest()
|
||||
|
||||
async with async_session() as session:
|
||||
result = await session.execute(
|
||||
select(InvitationToken).where(InvitationToken.token_hash == token_hash)
|
||||
)
|
||||
invitation = result.scalars().first()
|
||||
|
||||
if not invitation:
|
||||
return None
|
||||
if invitation.used:
|
||||
return None
|
||||
if invitation.expires_at < datetime.now(timezone.utc):
|
||||
return None
|
||||
|
||||
return invitation
|
||||
|
||||
|
||||
async def register_with_invitation(raw_token: str, username: str, password: str) -> User | None:
|
||||
"""Validate token, create user with the invitation's email, mark token used."""
|
||||
token_hash = hashlib.sha256(raw_token.encode()).hexdigest()
|
||||
|
||||
async with async_session() as session:
|
||||
result = await session.execute(
|
||||
select(InvitationToken).where(InvitationToken.token_hash == token_hash)
|
||||
)
|
||||
invitation = result.scalars().first()
|
||||
|
||||
if not invitation or invitation.used or invitation.expires_at < datetime.now(timezone.utc):
|
||||
return None
|
||||
|
||||
invitation.used = True
|
||||
await session.commit()
|
||||
|
||||
# Create user outside the invitation session
|
||||
user = await create_user(username, password, invitation.email)
|
||||
logger.info("User '%s' registered via invitation for %s", username, invitation.email)
|
||||
return user
|
||||
|
||||
|
||||
async def list_pending_invitations() -> list[InvitationToken]:
|
||||
"""List unused, non-expired invitations."""
|
||||
async with async_session() as session:
|
||||
result = await session.execute(
|
||||
select(InvitationToken).where(
|
||||
InvitationToken.used.is_(False),
|
||||
InvitationToken.expires_at > datetime.now(timezone.utc),
|
||||
).order_by(InvitationToken.created_at.desc())
|
||||
)
|
||||
return list(result.scalars().all())
|
||||
|
||||
|
||||
async def revoke_invitation(invitation_id: int) -> bool:
|
||||
"""Mark an invitation as used (revoked)."""
|
||||
async with async_session() as session:
|
||||
invitation = await session.get(InvitationToken, invitation_id)
|
||||
if not invitation or invitation.used:
|
||||
return False
|
||||
invitation.used = True
|
||||
await session.commit()
|
||||
logger.info("Invitation %d revoked", invitation_id)
|
||||
return True
|
||||
|
||||
@@ -55,6 +55,20 @@ async def is_smtp_configured() -> bool:
|
||||
return bool(config.get("smtp_host"))
|
||||
|
||||
|
||||
async def get_base_url() -> str:
|
||||
"""Get the application base URL from admin settings, falling back to Config.BASE_URL."""
|
||||
async with async_session() as session:
|
||||
result = await session.execute(
|
||||
select(Setting)
|
||||
.join(User, Setting.user_id == User.id)
|
||||
.where(User.role == "admin", Setting.key == "base_url")
|
||||
)
|
||||
setting = result.scalars().first()
|
||||
if setting and setting.value:
|
||||
return setting.value.rstrip("/")
|
||||
return Config.BASE_URL.rstrip("/")
|
||||
|
||||
|
||||
async def send_email(to: str, subject: str, html_body: str) -> None:
|
||||
"""Send an email via SMTP."""
|
||||
config = await get_smtp_config()
|
||||
|
||||
@@ -51,6 +51,8 @@ async def list_notes(
|
||||
is_task: bool | None = None,
|
||||
status: str | None = None,
|
||||
priority: str | None = None,
|
||||
due_before: date | None = None,
|
||||
due_after: date | None = None,
|
||||
sort: str = "updated_at",
|
||||
order: str = "desc",
|
||||
limit: int = 50,
|
||||
@@ -96,6 +98,13 @@ async def list_notes(
|
||||
query = query.where(Note.priority == priority)
|
||||
count_query = count_query.where(Note.priority == priority)
|
||||
|
||||
if due_before is not None:
|
||||
query = query.where(Note.due_date < due_before)
|
||||
count_query = count_query.where(Note.due_date < due_before)
|
||||
if due_after is not None:
|
||||
query = query.where(Note.due_date >= due_after)
|
||||
count_query = count_query.where(Note.due_date >= due_after)
|
||||
|
||||
sort_col = getattr(Note, sort, Note.updated_at)
|
||||
if order == "asc":
|
||||
query = query.order_by(sort_col.asc())
|
||||
|
||||
@@ -138,6 +138,33 @@ async def send_password_reset_success_email(email: str) -> None:
|
||||
await send_email(email, "Fabled Assistant - Password Changed", html)
|
||||
|
||||
|
||||
async def send_invitation_email(email: str, invite_url: str, invited_by_username: str) -> None:
|
||||
"""Send a branded invitation email with a registration link."""
|
||||
html = f"""
|
||||
<div style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 480px; margin: 0 auto; padding: 24px;">
|
||||
<div style="background: #6366f1; color: #fff; padding: 16px 24px; border-radius: 8px 8px 0 0; text-align: center;">
|
||||
<h1 style="margin: 0; font-size: 20px;">You're Invited!</h1>
|
||||
</div>
|
||||
<div style="background: #f9fafb; padding: 24px; border: 1px solid #e5e7eb; border-top: none; border-radius: 0 0 8px 8px;">
|
||||
<p style="margin: 0 0 16px; color: #374151; font-size: 15px;">
|
||||
<strong>{invited_by_username}</strong> has invited you to join Fabled Assistant. Click the button below to create your account:
|
||||
</p>
|
||||
<div style="text-align: center; margin: 24px 0;">
|
||||
<a href="{invite_url}" style="display: inline-block; background: #6366f1; color: #fff; padding: 12px 32px; border-radius: 6px; text-decoration: none; font-weight: 600; font-size: 15px;">
|
||||
Accept Invitation
|
||||
</a>
|
||||
</div>
|
||||
<p style="margin: 0 0 8px; color: #6b7280; font-size: 13px;">This invitation expires in 7 days.</p>
|
||||
<p style="margin: 0; color: #6b7280; font-size: 13px;">If you weren't expecting this invitation, you can safely ignore this email.</p>
|
||||
<hr style="border: none; border-top: 1px solid #e5e7eb; margin: 16px 0;" />
|
||||
<p style="margin: 0; color: #9ca3af; font-size: 12px;">If the button doesn't work, copy and paste this link into your browser:</p>
|
||||
<p style="margin: 4px 0 0; color: #9ca3af; font-size: 12px; word-break: break-all;">{invite_url}</p>
|
||||
</div>
|
||||
</div>
|
||||
"""
|
||||
await send_email(email, "Fabled Assistant - You're Invited!", html)
|
||||
|
||||
|
||||
async def check_due_tasks() -> None:
|
||||
"""Check for tasks due today and send reminder emails."""
|
||||
if not await is_smtp_configured():
|
||||
|
||||
Reference in New Issue
Block a user