first implementation

2025-12-20 11:12:11 +01:00 · 2025-12-20 11:12:11 +01:00 · 870804e7b9
commit 870804e7b9
parent 79458bcba4
24 changed files with 5485 additions and 184 deletions
--- a/backend/main.py
+++ b/backend/main.py
@ -1,10 +1,10 @@
 from contextlib import asynccontextmanager
-from datetime import datetime
+from datetime import datetime, UTC
 from typing import Callable, Generic, TypeVar

 from fastapi import FastAPI, Depends, HTTPException, Response, status, Query
 from fastapi.middleware.cors import CORSMiddleware
-from pydantic import BaseModel
+from pydantic import BaseModel, EmailStr
 from sqlalchemy import select, func, desc
 from sqlalchemy.ext.asyncio import AsyncSession

@ -23,8 +23,9 @@ from auth import (
    build_user_response,
 )
 from database import engine, get_db, Base
-from models import Counter, User, SumRecord, CounterRecord, Permission, Role, ROLE_REGULAR
+from models import Counter, User, SumRecord, CounterRecord, Permission, Role, ROLE_REGULAR, Invite, InviteStatus
 from validation import validate_profile_fields
+from invite_utils import generate_invite_identifier, normalize_identifier


 R = TypeVar("R", bound=BaseModel)
@ -98,13 +99,88 @@ async def get_default_role(db: AsyncSession) -> Role | None:
    return result.scalar_one_or_none()


+# Invite check endpoint (public)
+class InviteCheckResponse(BaseModel):
+    """Response for invite check endpoint."""
+    valid: bool
+    status: str | None = None
+    error: str | None = None
+
+
+@app.get("/api/invites/{identifier}/check", response_model=InviteCheckResponse)
+async def check_invite(
+    identifier: str,
+    db: AsyncSession = Depends(get_db),
+):
+    """Check if an invite is valid and can be used for signup."""
+    normalized = normalize_identifier(identifier)
+    
+    result = await db.execute(
+        select(Invite).where(Invite.identifier == normalized)
+    )
+    invite = result.scalar_one_or_none()
+    
+    if not invite:
+        return InviteCheckResponse(valid=False, error="Invite not found")
+    
+    if invite.status == InviteStatus.SPENT:
+        return InviteCheckResponse(
+            valid=False, 
+            status=invite.status.value,
+            error="This invite has already been used"
+        )
+    
+    if invite.status == InviteStatus.REVOKED:
+        return InviteCheckResponse(
+            valid=False,
+            status=invite.status.value, 
+            error="This invite has been revoked"
+        )
+    
+    return InviteCheckResponse(valid=True, status=invite.status.value)
+
+
 # Auth endpoints
+class RegisterWithInvite(BaseModel):
+    """Request model for registration with invite."""
+    email: EmailStr
+    password: str
+    invite_identifier: str
+
+
@app.post("/api/auth/register", response_model=UserResponse)
 async def register(
-    user_data: UserCreate,
+    user_data: RegisterWithInvite,
    response: Response,
    db: AsyncSession = Depends(get_db),
 ):
+    """Register a new user using an invite code."""
+    # Validate invite
+    normalized_identifier = normalize_identifier(user_data.invite_identifier)
+    result = await db.execute(
+        select(Invite).where(Invite.identifier == normalized_identifier)
+    )
+    invite = result.scalar_one_or_none()
+    
+    if not invite:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid invite code",
+        )
+    
+    if invite.status == InviteStatus.SPENT:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="This invite has already been used",
+        )
+    
+    if invite.status == InviteStatus.REVOKED:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="This invite has been revoked",
+        )
+    
+    # Check email not already taken
    existing_user = await get_user_by_email(db, user_data.email)
    if existing_user:
        raise HTTPException(
@ -112,17 +188,26 @@ async def register(
            detail="Email already registered",
        )
    
+    # Create user with godfather
    user = User(
        email=user_data.email,
        hashed_password=get_password_hash(user_data.password),
+        godfather_id=invite.godfather_id,
    )
    
-    # Assign default role if it exists
+    # Assign default role
    default_role = await get_default_role(db)
    if default_role:
        user.roles.append(default_role)
    
    db.add(user)
+    await db.flush()  # Get user ID
+    
+    # Mark invite as spent
+    invite.status = InviteStatus.SPENT
+    invite.used_by_id = user.id
+    invite.spent_at = datetime.now(UTC)
+    
    await db.commit()
    await db.refresh(user)
    
@ -333,6 +418,7 @@ class ProfileResponse(BaseModel):
    telegram: str | None
    signal: str | None
    nostr_npub: str | None
+    godfather_email: str | None = None


 class ProfileUpdate(BaseModel):
@ -358,13 +444,22 @@ async def require_regular_user(
@app.get("/api/profile", response_model=ProfileResponse)
 async def get_profile(
    current_user: User = Depends(require_regular_user),
+    db: AsyncSession = Depends(get_db),
 ):
-    """Get the current user's profile (contact details)."""
+    """Get the current user's profile (contact details and godfather)."""
+    godfather_email = None
+    if current_user.godfather_id:
+        result = await db.execute(
+            select(User.email).where(User.id == current_user.godfather_id)
+        )
+        godfather_email = result.scalar_one_or_none()
+    
    return ProfileResponse(
        contact_email=current_user.contact_email,
        telegram=current_user.telegram,
        signal=current_user.signal,
        nostr_npub=current_user.nostr_npub,
+        godfather_email=godfather_email,
    )


@ -398,9 +493,274 @@ async def update_profile(
    await db.commit()
    await db.refresh(current_user)
    
+    # Get godfather email if set
+    godfather_email = None
+    if current_user.godfather_id:
+        gf_result = await db.execute(
+            select(User.email).where(User.id == current_user.godfather_id)
+        )
+        godfather_email = gf_result.scalar_one_or_none()
+    
    return ProfileResponse(
        contact_email=current_user.contact_email,
        telegram=current_user.telegram,
        signal=current_user.signal,
        nostr_npub=current_user.nostr_npub,
+        godfather_email=godfather_email,
+    )
+
+
+# Invite endpoints
+class InviteCreate(BaseModel):
+    """Request model for creating an invite."""
+    godfather_id: int
+
+
+class InviteResponse(BaseModel):
+    """Response model for invite data."""
+    id: int
+    identifier: str
+    godfather_id: int
+    godfather_email: str
+    status: str
+    used_by_id: int | None
+    used_by_email: str | None
+    created_at: datetime
+    spent_at: datetime | None
+    revoked_at: datetime | None
+
+
+@app.post("/api/admin/invites", response_model=InviteResponse)
+async def create_invite(
+    data: InviteCreate,
+    db: AsyncSession = Depends(get_db),
+    _current_user: User = Depends(require_permission(Permission.MANAGE_INVITES)),
+):
+    """Create a new invite for a specified godfather user."""
+    # Validate godfather exists
+    result = await db.execute(select(User).where(User.id == data.godfather_id))
+    godfather = result.scalar_one_or_none()
+    if not godfather:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Godfather user not found",
+        )
+    
+    # Generate unique identifier
+    identifier = generate_invite_identifier()
+    
+    # Create invite
+    invite = Invite(
+        identifier=identifier,
+        godfather_id=godfather.id,
+        status=InviteStatus.READY,
+    )
+    db.add(invite)
+    await db.commit()
+    await db.refresh(invite)
+    
+    return InviteResponse(
+        id=invite.id,
+        identifier=invite.identifier,
+        godfather_id=invite.godfather_id,
+        godfather_email=godfather.email,
+        status=invite.status.value,
+        used_by_id=invite.used_by_id,
+        used_by_email=None,
+        created_at=invite.created_at,
+        spent_at=invite.spent_at,
+        revoked_at=invite.revoked_at,
+    )
+
+
+class UserInviteResponse(BaseModel):
+    """Response model for a user's invite (simpler than admin view)."""
+    id: int
+    identifier: str
+    status: str
+    used_by_email: str | None
+    created_at: datetime
+    spent_at: datetime | None
+
+
+@app.get("/api/invites", response_model=list[UserInviteResponse])
+async def get_my_invites(
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(require_permission(Permission.VIEW_OWN_INVITES)),
+):
+    """Get all invites owned by the current user."""
+    result = await db.execute(
+        select(Invite)
+        .where(Invite.godfather_id == current_user.id)
+        .order_by(desc(Invite.created_at))
+    )
+    invites = result.scalars().all()
+    
+    responses = []
+    for invite in invites:
+        used_by_email = None
+        if invite.used_by_id:
+            # Fetch the user who used this invite
+            user_result = await db.execute(
+                select(User.email).where(User.id == invite.used_by_id)
+            )
+            used_by_email = user_result.scalar_one_or_none()
+        
+        responses.append(UserInviteResponse(
+            id=invite.id,
+            identifier=invite.identifier,
+            status=invite.status.value,
+            used_by_email=used_by_email,
+            created_at=invite.created_at,
+            spent_at=invite.spent_at,
+        ))
+    
+    return responses
+
+
+# Admin Invite Management
+PaginatedInviteRecords = PaginatedResponse[InviteResponse]
+
+
+class AdminUserResponse(BaseModel):
+    """Minimal user info for admin dropdowns."""
+    id: int
+    email: str
+
+
+@app.get("/api/admin/users", response_model=list[AdminUserResponse])
+async def list_users_for_admin(
+    db: AsyncSession = Depends(get_db),
+    _current_user: User = Depends(require_permission(Permission.MANAGE_INVITES)),
+):
+    """List all users for admin dropdowns (invite creation, etc.)."""
+    result = await db.execute(select(User.id, User.email).order_by(User.email))
+    users = result.all()
+    return [AdminUserResponse(id=u.id, email=u.email) for u in users]
+
+
+@app.get("/api/admin/invites", response_model=PaginatedInviteRecords)
+async def list_all_invites(
+    page: int = Query(1, ge=1),
+    per_page: int = Query(10, ge=1, le=100),
+    status_filter: str | None = Query(None, alias="status", description="Filter by status: ready, spent, revoked"),
+    godfather_id: int | None = Query(None, description="Filter by godfather user ID"),
+    db: AsyncSession = Depends(get_db),
+    _current_user: User = Depends(require_permission(Permission.MANAGE_INVITES)),
+):
+    """List all invites with optional filtering and pagination."""
+    # Build query
+    query = select(Invite)
+    count_query = select(func.count(Invite.id))
+    
+    # Apply filters
+    if status_filter:
+        try:
+            status_enum = InviteStatus(status_filter)
+            query = query.where(Invite.status == status_enum)
+            count_query = count_query.where(Invite.status == status_enum)
+        except ValueError:
+            raise HTTPException(
+                status_code=400,
+                detail=f"Invalid status: {status_filter}. Must be ready, spent, or revoked",
+            )
+    
+    if godfather_id:
+        query = query.where(Invite.godfather_id == godfather_id)
+        count_query = count_query.where(Invite.godfather_id == godfather_id)
+    
+    # Get total count
+    count_result = await db.execute(count_query)
+    total = count_result.scalar() or 0
+    total_pages = (total + per_page - 1) // per_page if total > 0 else 1
+    
+    # Get paginated invites
+    offset = (page - 1) * per_page
+    query = query.order_by(desc(Invite.created_at)).offset(offset).limit(per_page)
+    result = await db.execute(query)
+    invites = result.scalars().all()
+    
+    # Build responses with user emails
+    records = []
+    for invite in invites:
+        # Get godfather email
+        gf_result = await db.execute(
+            select(User.email).where(User.id == invite.godfather_id)
+        )
+        godfather_email = gf_result.scalar_one()
+        
+        # Get used_by email if applicable
+        used_by_email = None
+        if invite.used_by_id:
+            ub_result = await db.execute(
+                select(User.email).where(User.id == invite.used_by_id)
+            )
+            used_by_email = ub_result.scalar_one_or_none()
+        
+        records.append(InviteResponse(
+            id=invite.id,
+            identifier=invite.identifier,
+            godfather_id=invite.godfather_id,
+            godfather_email=godfather_email,
+            status=invite.status.value,
+            used_by_id=invite.used_by_id,
+            used_by_email=used_by_email,
+            created_at=invite.created_at,
+            spent_at=invite.spent_at,
+            revoked_at=invite.revoked_at,
+        ))
+    
+    return PaginatedInviteRecords(
+        records=records,
+        total=total,
+        page=page,
+        per_page=per_page,
+        total_pages=total_pages,
+    )
+
+
+@app.post("/api/admin/invites/{invite_id}/revoke", response_model=InviteResponse)
+async def revoke_invite(
+    invite_id: int,
+    db: AsyncSession = Depends(get_db),
+    _current_user: User = Depends(require_permission(Permission.MANAGE_INVITES)),
+):
+    """Revoke an invite. Only READY invites can be revoked."""
+    result = await db.execute(select(Invite).where(Invite.id == invite_id))
+    invite = result.scalar_one_or_none()
+    
+    if not invite:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Invite not found",
+        )
+    
+    if invite.status != InviteStatus.READY:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Cannot revoke invite with status '{invite.status.value}'. Only READY invites can be revoked.",
+        )
+    
+    invite.status = InviteStatus.REVOKED
+    invite.revoked_at = datetime.now(UTC)
+    await db.commit()
+    await db.refresh(invite)
+    
+    # Get godfather email
+    gf_result = await db.execute(
+        select(User.email).where(User.id == invite.godfather_id)
+    )
+    godfather_email = gf_result.scalar_one()
+    
+    return InviteResponse(
+        id=invite.id,
+        identifier=invite.identifier,
+        godfather_id=invite.godfather_id,
+        godfather_email=godfather_email,
+        status=invite.status.value,
+        used_by_id=invite.used_by_id,
+        used_by_email=None,
+        created_at=invite.created_at,
+        spent_at=invite.spent_at,
+        revoked_at=invite.revoked_at,
    )