b33aa25fb7
Add session_version to users table. Sessions now carry session_version alongside user_id; @login_required rejects any session where the version doesn't match the DB value. - migration 0024: session_version INTEGER NOT NULL DEFAULT 1 - models/user.py: session_version Mapped[int] column - auth.py: version mismatch → session.clear() + 401 - services/auth.py: change_password and reset_password_with_token both increment session_version, evicting all other live sessions - routes/auth.py: login/register/oauth_callback store session_version; update_password rehydrates current session with new version so the user who changed their password stays logged in Existing sessions will require one re-login after the migration runs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
32 lines
1.1 KiB
Python
32 lines
1.1 KiB
Python
from sqlalchemy import Index, Integer, Text
|
|
from sqlalchemy.orm import Mapped, mapped_column
|
|
|
|
from fabledassistant.models import Base
|
|
from fabledassistant.models.base import CreatedAtMixin
|
|
|
|
|
|
class User(Base, CreatedAtMixin):
|
|
__tablename__ = "users"
|
|
|
|
id: Mapped[int] = mapped_column(primary_key=True)
|
|
username: Mapped[str] = mapped_column(Text, unique=True, nullable=False)
|
|
email: Mapped[str | None] = mapped_column(Text, nullable=True)
|
|
password_hash: Mapped[str | None] = mapped_column(Text, nullable=True)
|
|
oauth_sub: Mapped[str | None] = mapped_column(Text, unique=True, nullable=True)
|
|
role: Mapped[str] = mapped_column(Text, nullable=False, default="user")
|
|
session_version: Mapped[int] = mapped_column(Integer, nullable=False, default=1)
|
|
|
|
__table_args__ = (
|
|
Index("ix_users_username", "username"),
|
|
)
|
|
|
|
def to_dict(self) -> dict:
|
|
return {
|
|
"id": self.id,
|
|
"username": self.username,
|
|
"email": self.email,
|
|
"role": self.role,
|
|
"created_at": self.created_at.isoformat(),
|
|
"has_password": self.password_hash is not None,
|
|
}
|