Merge branch 'main' into 1-finish-implementing-roleorg-system

Author: chriscarrollsmith

docs/customization.qmd

@@ -25,7 +25,8 @@ The following fixtures, defined in `tests/conftest.py`, are available in the tes
 - `set_up_database`: Sets up the test database before running the test suite by dropping all tables and recreating them to ensure a clean state.
 - `session`: Provides a session for database operations in tests.
 - `clean_db`: Cleans up the database tables before each test by deleting all entries in the `PasswordResetToken` and `User` tables.
-- `client`: Provides a `TestClient` instance with the session fixture, overriding the `get_session` dependency to use the test session.
+- `auth_client`: Provides a `TestClient` instance with access and refresh token cookies set, overriding the `get_session` dependency to use the `session` fixture.
+- `unauth_client`: Provides a `TestClient` instance without authentication cookies set, overriding the `get_session` dependency to use the `session` fixture.
 - `test_user`: Creates a test user in the database with a predefined name, email, and hashed password.
 
 To run the tests, use these commands:

docs/installation.qmd

@@ -20,6 +20,8 @@ If you use VSCode with Docker to develop in a container, the following VSCode De
 
 Simply create a `.devcontainer` folder in the root of the project and add a `devcontainer.json` file in the folder with the above content. VSCode may prompt you to install the Dev Container extension if you haven't already, and/or to open the project in a container. If not, you can manually select "Dev Containers: Reopen in Container" from View > Command Palette.
 
+*IMPORTANT: If using this dev container configuration, you will need to set the `DB_HOST` environment variable to "host.docker.internal" in the `.env` file.*
+
 ## Install development dependencies manually
 
 ### Python and Docker
@@ -103,15 +105,32 @@ Set your desired database name, username, and password in the .env file.
 
 To use password recovery, register a [Resend](https://resend.com/) account, verify a domain, get an API key, and paste the API key into the .env file.
 
+If using the dev container configuration, you will need to set the `DB_HOST` environment variable to "host.docker.internal" in the .env file. Otherwise, set `DB_HOST` to "localhost" for local development. (In production, `DB_HOST` will be set to the hostname of the database server.)
+
 ## Start development database
 
+To start the development database, run the following command in your terminal from the root directory:
+
 ``` bash
 docker compose up -d
 ```
 
+If at any point you change the environment variables in the .env file, you will need to stop the database service *and tear down the volume*:
+
+``` bash
+# Don't forget the -v flag to tear down the volume!
+docker compose down -v
+```
+
+You may also need to restart the terminal session to pick up the new environment variables. You can also add the `--force-recreate` and `--build` flags to the startup command to ensure the container is rebuilt:
+
+``` bash
+docker compose up -d --force-recreate --build
+```
+
 ## Run the development server
 
-Make sure the development database is running and tables and default permissions/roles are created first.
+Before running the development server, make sure the development database is running and tables and default permissions/roles are created first. Then run the following command in your terminal from the root directory:
 
 ``` bash
 uvicorn main:app --host 0.0.0.0 --port 8000 --reload

index.qmd

@@ -107,6 +107,8 @@ To use password recovery, register a [Resend](https://resend.com/) account, veri
 
 ### Start development database
 
+To start the development database, run the following command in your terminal from the root directory:
+
 ``` bash
 docker compose up -d
 ```

main.py

@@ -8,7 +8,7 @@
 from fastapi.exceptions import RequestValidationError, HTTPException, StarletteHTTPException
 from sqlmodel import Session
 from routers import authentication, organization, role, user
-from utils.auth import get_authenticated_user, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError
+from utils.auth import get_authenticated_user, get_optional_user, NeedsNewTokens, get_user_from_reset_token, PasswordValidationError, AuthenticationError
 from utils.models import User
 from utils.db import get_session, set_up_db
 from utils.role_org import get_user_organizations, get_organization_roles
@@ -37,6 +37,15 @@ async def lifespan(app: FastAPI):
 # -- Exception Handling Middlewares --
 
 
+# Handle AuthenticationError by redirecting to login page
+@app.exception_handler(AuthenticationError)
+async def authentication_error_handler(request: Request, exc: AuthenticationError):
+    return RedirectResponse(
+        url="/login",
+        status_code=status.HTTP_303_SEE_OTHER
+    )
+
+
 # Handle NeedsNewTokens by setting new tokens and redirecting to same page
 @app.exception_handler(NeedsNewTokens)
 async def needs_new_tokens_handler(request: Request, exc: NeedsNewTokens):
@@ -104,10 +113,6 @@ async def validation_exception_handler(request: Request, exc: RequestValidationE
 # Handle StarletteHTTPException (including 404, 405, etc.) by rendering the error page
 @app.exception_handler(StarletteHTTPException)
 async def http_exception_handler(request: Request, exc: StarletteHTTPException):
-    # Don't handle redirects
-    if exc.status_code in [301, 302, 303, 307, 308]:
-        raise exc
-
     return templates.TemplateResponse(
         request,
         "errors/error.html",

routers/authentication.py

@@ -114,7 +114,6 @@ class UserRead(BaseModel):
     organization_id: Optional[int]
     created_at: datetime
     updated_at: datetime
-    deleted: bool
 
 
 # -- Routes --

routers/organization.py

@@ -83,7 +83,6 @@ class OrganizationRead(BaseModel):
     name: str
     created_at: datetime
     updated_at: datetime
-    deleted: bool
 
 
 class OrganizationUpdate(BaseModel):
@@ -188,12 +187,7 @@ def delete_organization(
     # This will raise appropriate exceptions if org doesn't exist or user lacks access
     organization = get_organization(org_id, user.id, session)
 
-    if not check_user_permission(user.id, org_id, ValidPermissions.DELETE_ORGANIZATION, session):
-        raise InsufficientPermissionsError()
-
-    organization.deleted = True
-    organization.updated_at = utc_time()
-    session.add(organization)
+    session.delete(organization)
     session.commit()
 
     return RedirectResponse(url="/profile", status_code=303)

routers/role.py

@@ -25,7 +25,7 @@ def __init__(self):
 
 
 class RoleNotFoundError(HTTPException):
-    """Raised when a requested role does not exist or is deleted"""
+    """Raised when a requested role does not exist"""
 
     def __init__(self):
         super().__init__(status_code=404, detail="Role not found")
@@ -70,7 +70,6 @@ class RoleRead(BaseModel):
     name: str
     created_at: datetime
     updated_at: datetime
-    deleted: bool
     permissions: List[ValidPermissions]
 
 
@@ -87,7 +86,7 @@ def validate_role_exists(cls, id: int, info):
         session = info.context.get("session")
         if session:
             role = session.get(Role, id)
-            if not role or not role.id or role.deleted:
+            if not role or not role.id:
                 raise RoleNotFoundError()
         return id
 
@@ -141,7 +140,6 @@ def update_role(
     session: Session = Depends(get_session)
 ) -> RedirectResponse:
     db_role: Role | None = session.get(Role, role.id)
-
     role_data = role.model_dump(exclude_unset=True)
     for key, value in role_data.items():
         setattr(db_role, key, value)
@@ -164,6 +162,7 @@ def update_role(
     return RedirectResponse(url="/profile", status_code=303)
 
 
+# TODO: Reject role deletion if anyone in the organization has that role
 @router.delete("/{role_id}", response_class=RedirectResponse)
 def delete_role(
     role_id: int,
@@ -172,10 +171,7 @@ def delete_role(
 ) -> RedirectResponse:
     db_role = session.get(Role, role_id)
     if not db_role:
-        raise RoleNotFoundError()
-
-    db_role.deleted = True
-    db_role.updated_at = utc_time()
-    session.add(db_role)
+        raise HTTPException(status_code=404, detail="Role not found")
+    session.delete(db_role)
     session.commit()
     return RedirectResponse(url="/profile", status_code=303)

routers/user.py

@@ -11,7 +11,8 @@
 # -- Server Request and Response Models --
 
 
-class UserProfile(BaseModel):
+class UpdateProfile(BaseModel):
+    """Request model for updating user profile information"""
     name: str
     email: EmailStr
     avatar_url: str
@@ -40,41 +41,40 @@ async def as_form(
 # -- Routes --
 
 
-@router.get("/profile", response_class=RedirectResponse)
-async def view_profile(
-    current_user: User = Depends(get_authenticated_user)
-):
-    # Render the profile page with the current user's data
-    return {"user": current_user}
-
-
-@router.post("/edit_profile", response_class=RedirectResponse)
-async def edit_profile(
-    name: str = Form(...),
-    email: str = Form(...),
-    avatar_url: str = Form(...),
+@router.post("/update_profile", response_class=RedirectResponse)
+async def update_profile(
+    user_profile: UpdateProfile = Depends(UpdateProfile.as_form),
     current_user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
     # Update user details
-    current_user.name = name
-    current_user.email = email
-    current_user.avatar_url = avatar_url
+    current_user.name = user_profile.name
+    current_user.email = user_profile.email
+    current_user.avatar_url = user_profile.avatar_url
     session.commit()
     session.refresh(current_user)
     return RedirectResponse(url="/profile", status_code=303)
 
 
 @router.post("/delete_account", response_class=RedirectResponse)
 async def delete_account(
-    confirm_delete_password: str = Form(...),
+    user_delete_account: UserDeleteAccount = Depends(
+        UserDeleteAccount.as_form),
     current_user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
-    if not verify_password(confirm_delete_password, current_user.hashed_password):
-        raise HTTPException(status_code=400, detail="Password is incorrect")
+    if not verify_password(
+        user_delete_account.confirm_delete_password,
+        current_user.hashed_password
+    ):
+        raise HTTPException(
+            status_code=400,
+            detail="Password is incorrect"
+        )
 
-    # Mark the user as deleted
-    current_user.deleted = True
+    # Delete the user
+    session.delete(current_user)
     session.commit()
-    return RedirectResponse(url="/", status_code=303)
+
+    # Log out the user
+    return RedirectResponse(url="/auth/logout", status_code=303)

templates/authentication/register.html

@@ -25,7 +25,7 @@
         <div class="mb-3">
             <label for="password" class="form-label">Password</label>
             <input type="password" class="form-control" id="password" name="password" 
-                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~]{8,}"
+                   pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/])[A-Za-z\d@$!%*?&\{\}\<\>\.\,\\\\'#\-_=\+\(\)\[\]:;\|~\/]{8,}"
                    title="Must contain at least one number, one uppercase and lowercase letter, one special character, and at least 8 or more characters" 
                    placeholder="Enter your password" required
                    autocomplete="new-password">

templates/users/profile.html

@@ -35,7 +35,7 @@ <h1 class="mb-4">User Profile</h1>
             Edit Profile
         </div>
         <div class="card-body">
-            <form action="{{ url_for('edit_profile') }}" method="post">
+            <form action="{{ url_for('update_profile') }}" method="post">
                 <div class="mb-3">
                     <label for="name" class="form-label">Name</label>
                     <input type="text" class="form-control" id="name" name="name" value="{{ user.name }}">