Merge pull request #48 from Promptly-Technologies-LLC/11-fix-delete-account-flow

11 fix delete account flow

Author: chriscarrollsmith

docs/customization.qmd

@@ -25,7 +25,8 @@ The following fixtures, defined in `tests/conftest.py`, are available in the tes
 - `set_up_database`: Sets up the test database before running the test suite by dropping all tables and recreating them to ensure a clean state.
 - `session`: Provides a session for database operations in tests.
 - `clean_db`: Cleans up the database tables before each test by deleting all entries in the `PasswordResetToken` and `User` tables.
-- `client`: Provides a `TestClient` instance with the session fixture, overriding the `get_session` dependency to use the test session.
+- `auth_client`: Provides a `TestClient` instance with access and refresh token cookies set, overriding the `get_session` dependency to use the `session` fixture.
+- `unauth_client`: Provides a `TestClient` instance without authentication cookies set, overriding the `get_session` dependency to use the `session` fixture.
 - `test_user`: Creates a test user in the database with a predefined name, email, and hashed password.
 
 To run the tests, use these commands:
@@ -43,7 +44,7 @@ The project uses type annotations and mypy for static type checking. To run mypy
 mypy
 ```
 
-We find that mypy is an enormous time-saver, catching many errors early and greatly reducing time spent debugging unit tests. However, note that mypy requires you type annotate every variable, function, and method in your code base, so taking advantage of it is a lifestyle change!
+We find that mypy is an enormous time-saver, catching many errors early and greatly reducing time spent debugging unit tests. However, note that mypy requires you type annotate every variable, function, and method in your code base, so taking advantage of it requires a lifestyle change!
 
 ### Developing with LLMs
 
@@ -84,15 +85,19 @@ We also create POST endpoints, which accept form submissions so the user can cre
 
 #### Routing patterns in this template
 
-In this template, GET routes are defined in the main entry point for the application, `main.py`. POST routes are organized into separate modules within the `routers/` directory. We name our GET routes using the convention `read_<name>`, where `<name>` is the name of the page, to indicate that they are read-only endpoints that do not modify the database.
+In this template, GET routes are defined in the main entry point for the application, `main.py`. POST routes are organized into separate modules within the `routers/` directory.
+
+We name our GET routes using the convention `read_<name>`, where `<name>` is the name of the page, to indicate that they are read-only endpoints that do not modify the database.
 
 We divide our GET routes into authenticated and unauthenticated routes, using commented section headers in our code that look like this:
 
 ```python
 # -- Authenticated Routes --
 ```
 
-Some of our routes take request parameters, which we pass as keyword arguments to the route handler. These parameters should be type annotated for validation purposes. Some parameters are shared across all authenticated or unauthenticated routes, so we define them in the `common_authenticated_parameters` and `common_unauthenticated_parameters` dependencies defined in `main.py`.
+Some of our routes take request parameters, which we pass as keyword arguments to the route handler. These parameters should be type annotated for validation purposes.
+
+Some parameters are shared across all authenticated or unauthenticated routes, so we define them in the `common_authenticated_parameters` and `common_unauthenticated_parameters` dependencies defined in `main.py`.
 
 ### HTML templating with Jinja2
 
@@ -113,7 +118,7 @@ async def welcome(request: Request):
     )
 ```
 
-In this example, the `welcome.html` template will receive two pieces of context: the user's `request`, which is always passed automatically by FastAPI, and a `username` variable, which we specify as "Alice". We can then use the `{{ username }}` syntax in the `welcome.html` template (or any of its parent or child templates) to insert the value into the HTML.
+In this example, the `welcome.html` template will receive two pieces of context: the user's `request`, which is always passed automatically by FastAPI, and a `username` variable, which we specify as "Alice". We can then use the `{{{ username }}}` syntax in the `welcome.html` template (or any of its parent or child templates) to insert the value into the HTML.
 
 #### Form validation strategy
 

docs/installation.qmd

@@ -20,6 +20,8 @@ If you use VSCode with Docker to develop in a container, the following VSCode De
 
 Simply create a `.devcontainer` folder in the root of the project and add a `devcontainer.json` file in the folder with the above content. VSCode may prompt you to install the Dev Container extension if you haven't already, and/or to open the project in a container. If not, you can manually select "Dev Containers: Reopen in Container" from View > Command Palette.
 
+*IMPORTANT: If using this dev container configuration, you will need to set the `DB_HOST` environment variable to "host.docker.internal" in the `.env` file.*
+
 ## Install development dependencies manually
 
 ### Python and Docker
@@ -103,15 +105,32 @@ Set your desired database name, username, and password in the .env file.
 
 To use password recovery, register a [Resend](https://resend.com/) account, verify a domain, get an API key, and paste the API key into the .env file.
 
+If using the dev container configuration, you will need to set the `DB_HOST` environment variable to "host.docker.internal" in the .env file. Otherwise, set `DB_HOST` to "localhost" for local development. (In production, `DB_HOST` will be set to the hostname of the database server.)
+
 ## Start development database
 
+To start the development database, run the following command in your terminal from the root directory:
+
 ``` bash
 docker compose up -d
 ```
 
+If at any point you change the environment variables in the .env file, you will need to stop the database service *and tear down the volume*:
+
+``` bash
+# Don't forget the -v flag to tear down the volume!
+docker compose down -v
+```
+
+You may also need to restart the terminal session to pick up the new environment variables. You can also add the `--force-recreate` and `--build` flags to the startup command to ensure the container is rebuilt:
+
+``` bash
+docker compose up -d --force-recreate --build
+```
+
 ## Run the development server
 
-Make sure the development database is running and tables and default permissions/roles are created first.
+Before running the development server, make sure the development database is running and tables and default permissions/roles are created first. Then run the following command in your terminal from the root directory:
 
 ``` bash
 uvicorn main:app --host 0.0.0.0 --port 8000 --reload

index.qmd

@@ -107,6 +107,8 @@ To use password recovery, register a [Resend](https://resend.com/) account, veri
 
 ### Start development database
 
+To start the development database, run the following command in your terminal from the root directory:
+
 ``` bash
 docker compose up -d
 ```

main.py

@@ -8,7 +8,7 @@
 from fastapi.exceptions import RequestValidationError, HTTPException, StarletteHTTPException
 from sqlmodel import Session
 from routers import authentication, organization, role, user
-from utils.auth import get_authenticated_user, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError
+from utils.auth import get_authenticated_user, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
 from utils.models import User
 from utils.db import get_session, set_up_db
 
@@ -37,6 +37,15 @@ async def lifespan(app: FastAPI):
 # -- Exception Handling Middlewares --
 
 
+# Handle AuthenticationError by redirecting to login page
+@app.exception_handler(AuthenticationError)
+async def authentication_error_handler(request: Request, exc: AuthenticationError):
+    return RedirectResponse(
+        url="/login",
+        status_code=status.HTTP_303_SEE_OTHER
+    )
+
+
 # Handle NeedsNewTokens by setting new tokens and redirecting to same page
 @app.exception_handler(NeedsNewTokens)
 async def needs_new_tokens_handler(request: Request, exc: NeedsNewTokens):
@@ -104,10 +113,6 @@ async def validation_exception_handler(request: Request, exc: RequestValidationE
 # Handle StarletteHTTPException (including 404, 405, etc.) by rendering the error page
 @app.exception_handler(StarletteHTTPException)
 async def http_exception_handler(request: Request, exc: StarletteHTTPException):
-    # Don't handle redirects
-    if exc.status_code in [301, 302, 303, 307, 308]:
-        raise exc
-
     return templates.TemplateResponse(
         request,
         "errors/error.html",

routers/authentication.py

@@ -114,7 +114,6 @@ class UserRead(BaseModel):
     organization_id: Optional[int]
     created_at: datetime
     updated_at: datetime
-    deleted: bool
 
 
 # -- Routes --

routers/organization.py

@@ -27,7 +27,6 @@ class OrganizationRead(BaseModel):
     name: str
     created_at: datetime
     updated_at: datetime
-    deleted: bool
 
 
 class OrganizationUpdate(BaseModel):
@@ -113,9 +112,7 @@ def delete_organization(
     if not db_org:
         raise HTTPException(status_code=404, detail="Organization not found")
 
-    db_org.deleted = True
-    db_org.updated_at = datetime.utcnow()
-    session.add(db_org)
+    session.delete(db_org)
     session.commit()
 
     return RedirectResponse(url="/organizations", status_code=303)

routers/role.py

@@ -31,7 +31,6 @@ class RoleRead(BaseModel):
     name: str
     created_at: datetime
     updated_at: datetime
-    deleted: bool
     permissions: List[ValidPermissions]
 
 
@@ -74,7 +73,7 @@ def create_role(
 @router.get("/{role_id}", response_model=RoleRead)
 def read_role(role_id: int, session: Session = Depends(get_session)):
     db_role: Role | None = session.get(Role, role_id)
-    if not db_role or not db_role.id or db_role.deleted:
+    if not db_role or not db_role.id:
         raise HTTPException(status_code=404, detail="Role not found")
 
     permissions = [
@@ -88,7 +87,6 @@ def read_role(role_id: int, session: Session = Depends(get_session)):
         name=db_role.name,
         created_at=db_role.created_at,
         updated_at=db_role.updated_at,
-        deleted=db_role.deleted,
         permissions=permissions
     )
 
@@ -99,7 +97,7 @@ def update_role(
     session: Session = Depends(get_session)
 ) -> RedirectResponse:
     db_role: Role | None = session.get(Role, role.id)
-    if not db_role or not db_role.id or db_role.deleted:
+    if not db_role or not db_role.id:
         raise HTTPException(status_code=404, detail="Role not found")
     role_data = role.model_dump(exclude_unset=True)
     for key, value in role_data.items():
@@ -131,8 +129,6 @@ def delete_role(
     db_role = session.get(Role, role_id)
     if not db_role:
         raise HTTPException(status_code=404, detail="Role not found")
-    db_role.deleted = True
-    db_role.updated_at = utc_time()
-    session.add(db_role)
+    session.delete(db_role)
     session.commit()
     return RedirectResponse(url="/roles", status_code=303)

routers/user.py

@@ -11,7 +11,8 @@
 # -- Server Request and Response Models --
 
 
-class UserProfile(BaseModel):
+class UpdateProfile(BaseModel):
+    """Request model for updating user profile information"""
     name: str
     email: EmailStr
     avatar_url: str
@@ -40,41 +41,40 @@ async def as_form(
 # -- Routes --
 
 
-@router.get("/profile", response_class=RedirectResponse)
-async def view_profile(
-    current_user: User = Depends(get_authenticated_user)
-):
-    # Render the profile page with the current user's data
-    return {"user": current_user}
-
-
-@router.post("/edit_profile", response_class=RedirectResponse)
-async def edit_profile(
-    name: str = Form(...),
-    email: str = Form(...),
-    avatar_url: str = Form(...),
+@router.post("/update_profile", response_class=RedirectResponse)
+async def update_profile(
+    user_profile: UpdateProfile = Depends(UpdateProfile.as_form),
     current_user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
     # Update user details
-    current_user.name = name
-    current_user.email = email
-    current_user.avatar_url = avatar_url
+    current_user.name = user_profile.name
+    current_user.email = user_profile.email
+    current_user.avatar_url = user_profile.avatar_url
     session.commit()
     session.refresh(current_user)
     return RedirectResponse(url="/profile", status_code=303)
 
 
 @router.post("/delete_account", response_class=RedirectResponse)
 async def delete_account(
-    confirm_delete_password: str = Form(...),
+    user_delete_account: UserDeleteAccount = Depends(
+        UserDeleteAccount.as_form),
     current_user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
-    if not verify_password(confirm_delete_password, current_user.hashed_password):
-        raise HTTPException(status_code=400, detail="Password is incorrect")
+    if not verify_password(
+        user_delete_account.confirm_delete_password,
+        current_user.hashed_password
+    ):
+        raise HTTPException(
+            status_code=400,
+            detail="Password is incorrect"
+        )
 
-    # Mark the user as deleted
-    current_user.deleted = True
+    # Delete the user
+    session.delete(current_user)
     session.commit()
-    return RedirectResponse(url="/", status_code=303)
+
+    # Log out the user
+    return RedirectResponse(url="/auth/logout", status_code=303)

templates/authentication/register.html

@@ -25,7 +25,7 @@
         <div class="mb-3">
             <label for="password" class="form-label">Password</label>
             <input type="password" class="form-control" id="password" name="password" 
-                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~]{8,}"
+                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]{8,}"
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    placeholder="Enter your password" required
                    autocomplete="new-password">

templates/users/profile.html

@@ -34,7 +34,7 @@ <h1 class="mb-4">User Profile</h1>
             Edit Profile
         </div>
         <div class="card-body">
-            <form action="{{ url_for('edit_profile') }}" method="post">
+            <form action="{{ url_for('update_profile') }}" method="post">
                 <div class="mb-3">
                     <label for="name" class="form-label">Name</label>
                     <input type="text" class="form-control" id="name" name="name" value="{{ user.name }}">