skrift 0.1.0a1__py3-none-any.whl → 0.1.0a3__py3-none-any.whl

skrift/alembic/env.py

@@ -12,6 +12,7 @@ from skrift.config import get_settings
 from skrift.db.base import Base
 
 # Import all models to ensure they're registered with Base.metadata
+from skrift.db.models.oauth_account import OAuthAccount  # noqa: F401
 from skrift.db.models.user import User  # noqa: F401
 from skrift.db.models.page import Page  # noqa: F401
 from skrift.db.models.role import Role, RolePermission  # noqa: F401
@@ -31,7 +32,7 @@ def get_url() -> str:
     """Get database URL from settings or alembic.ini."""
     try:
         settings = get_settings()
-        return settings.database_url
+        return settings.db.url
     except Exception:
         # Fall back to alembic.ini config if settings can't be loaded
         return config.get_main_option("sqlalchemy.url", "")

skrift/alembic/versions/20260129_add_oauth_accounts.py

@@ -0,0 +1,134 @@
+"""add oauth_accounts table
+
+Revision ID: 1a2b3c4d5e6f
+Revises: 8f3a5c2d1e0b
+Create Date: 2026-01-29 10:00:00.000000
+
+This migration:
+1. Creates the oauth_accounts table to store multiple OAuth identities per user
+2. Migrates existing oauth data from users table to oauth_accounts
+3. Makes users.email nullable (for providers like Twitter that don't provide email)
+4. Removes oauth_provider and oauth_id columns from users table
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from advanced_alchemy.types import GUID, DateTimeUTC
+
+
+# revision identifiers, used by Alembic.
+revision: str = '1a2b3c4d5e6f'
+down_revision: Union[str, None] = '8f3a5c2d1e0b'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Step 1: Create oauth_accounts table
+    op.create_table(
+        'oauth_accounts',
+        sa.Column('id', GUID(length=16), nullable=False),
+        sa.Column('created_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('updated_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('sa_orm_sentinel', sa.Integer(), nullable=True),
+        sa.Column('provider', sa.String(length=50), nullable=False),
+        sa.Column('provider_account_id', sa.String(length=255), nullable=False),
+        sa.Column('provider_email', sa.String(length=255), nullable=True),
+        sa.Column('user_id', GUID(length=16), nullable=False),
+        sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth_accounts')),
+        sa.ForeignKeyConstraint(
+            ['user_id'], ['users.id'],
+            name=op.f('fk_oauth_accounts_user_id_users'),
+            ondelete='CASCADE'
+        ),
+        sa.UniqueConstraint(
+            'provider', 'provider_account_id',
+            name='uq_oauth_provider_account'
+        ),
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_user_id'),
+        'oauth_accounts',
+        ['user_id'],
+        unique=False
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_provider_account'),
+        'oauth_accounts',
+        ['provider', 'provider_account_id'],
+        unique=True
+    )
+
+    # Step 2: Migrate existing data from users to oauth_accounts
+    # Generate binary UUIDs (16 bytes) for new records and copy oauth data
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        INSERT INTO oauth_accounts (id, created_at, updated_at, provider, provider_account_id, provider_email, user_id)
+        SELECT
+            randomblob(16),
+            created_at,
+            updated_at,
+            oauth_provider,
+            oauth_id,
+            email,
+            id
+        FROM users
+        WHERE oauth_provider IS NOT NULL AND oauth_id IS NOT NULL
+    """))
+
+    # Step 3: Make email nullable on users table
+    # SQLite doesn't support ALTER COLUMN, so we need to recreate the table
+    # For SQLite, we'll use batch_alter_table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        # Drop the unique constraint on oauth_id
+        batch_op.drop_constraint('uq_users_oauth_id', type_='unique')
+        # Drop the oauth columns
+        batch_op.drop_column('oauth_provider')
+        batch_op.drop_column('oauth_id')
+        # Make email nullable - this requires recreating the column in SQLite
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=True)
+
+
+def downgrade() -> None:
+    # Step 1: Add back oauth columns to users table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('oauth_provider', sa.String(length=50), nullable=True))
+        batch_op.add_column(sa.Column('oauth_id', sa.String(length=255), nullable=True))
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+
+    # Step 2: Migrate data back from oauth_accounts to users
+    # Only migrate the first oauth account per user
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        UPDATE users
+        SET oauth_provider = (
+            SELECT provider FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        ),
+        oauth_id = (
+            SELECT provider_account_id FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        )
+    """))
+
+    # Step 3: Make oauth columns non-nullable and add unique constraint
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.alter_column('oauth_provider',
+                              existing_type=sa.String(length=50),
+                              nullable=False)
+        batch_op.alter_column('oauth_id',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+        batch_op.create_unique_constraint('uq_users_oauth_id', ['oauth_id'])
+
+    # Step 4: Drop oauth_accounts table
+    op.drop_index(op.f('ix_oauth_accounts_provider_account'), table_name='oauth_accounts')
+    op.drop_index(op.f('ix_oauth_accounts_user_id'), table_name='oauth_accounts')
+    op.drop_table('oauth_accounts')

skrift/alembic.ini

@@ -1,8 +1,8 @@
 # Alembic Configuration File
 
 [alembic]
-# Path to migration scripts
-script_location = alembic
+# Path to migration scripts (relative to this file)
+script_location = %(here)s/alembic
 
 # Template used to generate migration files
 file_template = %%(year)d%%(month).2d%%(day).2d_%%(hour).2d%%(minute).2d%%(second).2d_%%(rev)s_%%(slug)s

skrift/asgi.py

@@ -29,7 +29,7 @@ from litestar.static_files import create_static_files_router
 from litestar.template import TemplateConfig
 from litestar.types import ASGIApp, Receive, Scope, Send
 
-from skrift.config import get_settings, is_config_valid
+from skrift.config import get_config_path, get_settings, is_config_valid
 from skrift.db.base import Base
 from skrift.db.services.setting_service import (
     load_site_settings_cache,
@@ -45,7 +45,7 @@ from skrift.lib.exceptions import http_exception_handler, internal_server_error_
 
 def load_controllers() -> list:
     """Load controllers from app.yaml configuration."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return []
@@ -196,12 +196,7 @@ class AppDispatcher:
             await self.setup_app(scope, receive, send)
             return
 
-        # For /auth/* during setup, route to setup app (OAuth callbacks)
-        if path.startswith("/auth"):
-            await self.setup_app(scope, receive, send)
-            return
-
-        # Non-setup path: check if setup is complete in DB
+        # Check if setup is complete in DB
         if await self._is_setup_complete_in_db():
             # Setup complete - try to get/create main app
             main_app = await self._get_or_create_main_app()
@@ -215,8 +210,13 @@ class AppDispatcher:
                     f"Setup complete but cannot start application: {self._main_app_error}"
                 )
         else:
-            # Setup not complete - redirect to /setup
-            await self._redirect(send, "/setup")
+            # Setup not complete
+            # Route /auth/* to setup app for OAuth callbacks during setup
+            if path.startswith("/auth"):
+                await self.setup_app(scope, receive, send)
+            else:
+                # Redirect other paths to /setup
+                await self._redirect(send, "/setup")
 
     async def _is_setup_complete_in_db(self) -> bool:
         """Check if setup is complete in the database."""
@@ -270,6 +270,10 @@ def create_app() -> Litestar:
     This app has all routes for normal operation. It is used by the dispatcher
     after setup is complete.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     settings = get_settings()
 
     # Load controllers from app.yaml
@@ -404,7 +408,7 @@ def create_setup_app() -> Litestar:
 
     # Also try to get the raw db URL from config (before env var resolution)
     if not db_url:
-        config_path = Path.cwd() / "app.yaml"
+        config_path = get_config_path()
         if config_path.exists():
             try:
                 with open(config_path, "r") as f:
@@ -493,6 +497,10 @@ def create_dispatcher() -> ASGIApp:
     This is the main entry point. The dispatcher handles routing between
     setup and main apps, with lazy creation of the main app after setup completes.
     """
+    # CRITICAL: Check for dummy auth in production BEFORE anything else
+    from skrift.setup.providers import validate_no_dummy_auth_in_production
+    validate_no_dummy_auth_in_production()
+
     global _dispatcher
     from skrift.setup.state import get_database_url_from_yaml
 

skrift/cli.py

@@ -19,24 +19,33 @@ def db() -> None:
     """
     from alembic.config import main as alembic_main
 
-    # Ensure we're running from the project root where alembic.ini is located
-    # If alembic.ini is not in cwd, check common locations
-    alembic_ini = Path.cwd() / "alembic.ini"
-
+    import os
+
+    # Always run from the project root (where app.yaml and .env are)
+    # This ensures database paths like ./app.db resolve correctly
+    project_root = Path.cwd()
+    if not (project_root / "app.yaml").exists():
+        # If not in project root, try parent directory
+        project_root = Path(__file__).parent.parent
+    os.chdir(project_root)
+
+    # Find alembic.ini - check project root first, then skrift package directory
+    alembic_ini = project_root / "alembic.ini"
     if not alembic_ini.exists():
-        # Try to find alembic.ini relative to this module
-        module_dir = Path(__file__).parent.parent
-        alembic_ini = module_dir / "alembic.ini"
-
-        if alembic_ini.exists():
-            # Change to the directory containing alembic.ini
-            import os
-            os.chdir(module_dir)
-        else:
+        skrift_dir = Path(__file__).parent
+        alembic_ini = skrift_dir / "alembic.ini"
+
+        if not alembic_ini.exists():
             print("Error: Could not find alembic.ini", file=sys.stderr)
             print("Make sure you're running from the project root directory.", file=sys.stderr)
             sys.exit(1)
 
+    # Build argv with config path at the beginning (before any subcommand)
+    # Original argv: ['skrift-db', 'upgrade', 'head']
+    # New argv: ['skrift-db', '-c', '/path/to/alembic.ini', 'upgrade', 'head']
+    new_argv = [sys.argv[0], "-c", str(alembic_ini)] + sys.argv[1:]
+    sys.argv = new_argv
+
     # Pass through all CLI arguments to Alembic
     sys.exit(alembic_main(sys.argv[1:]))
 

skrift/config.py

@@ -16,6 +16,31 @@ load_dotenv(_env_file)
 # Pattern to match $VAR_NAME environment variable references
 ENV_VAR_PATTERN = re.compile(r"\$([A-Z_][A-Z0-9_]*)")
 
+# Environment configuration
+SKRIFT_ENV = "SKRIFT_ENV"
+DEFAULT_ENVIRONMENT = "production"
+
+
+def get_environment() -> str:
+    """Get the current environment name, normalized to lowercase.
+
+    Reads from SKRIFT_ENV environment variable. Defaults to "production".
+    """
+    env = os.environ.get(SKRIFT_ENV, DEFAULT_ENVIRONMENT)
+    return env.lower().strip()
+
+
+def get_config_path() -> Path:
+    """Get the path to the environment-specific config file.
+
+    Production -> app.yaml
+    Other envs -> app.{env}.yaml (e.g., app.dev.yaml)
+    """
+    env = get_environment()
+    if env == "production":
+        return Path.cwd() / "app.yaml"
+    return Path.cwd() / f"app.{env}.yaml"
+
 
 def interpolate_env_vars(value, strict: bool = True):
     """Recursively replace $VAR_NAME with os.environ values.
@@ -54,10 +79,10 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
     Returns:
         Parsed configuration dictionary
     """
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
-        raise FileNotFoundError(f"app.yaml not found at {config_path}")
+        raise FileNotFoundError(f"{config_path.name} not found at {config_path}")
 
     with open(config_path, "r") as f:
         config = yaml.safe_load(f)
@@ -69,7 +94,7 @@ def load_app_config(interpolate: bool = True, strict: bool = True) -> dict:
 
 def load_raw_app_config() -> dict | None:
     """Load app.yaml without any processing. Returns None if file doesn't exist."""
-    config_path = Path.cwd() / "app.yaml"
+    config_path = get_config_path()
 
     if not config_path.exists():
         return None
@@ -98,11 +123,40 @@ class OAuthProviderConfig(BaseModel):
     tenant_id: str | None = None
 
 
+class DummyProviderConfig(BaseModel):
+    """Dummy provider configuration (no credentials required)."""
+
+    pass
+
+
+# Union type for provider configs - dummy has no required fields
+ProviderConfig = OAuthProviderConfig | DummyProviderConfig
+
+
 class AuthConfig(BaseModel):
     """Authentication configuration."""
 
     redirect_base_url: str = "http://localhost:8000"
-    providers: dict[str, OAuthProviderConfig] = {}
+    providers: dict[str, ProviderConfig] = {}
+
+    @classmethod
+    def _parse_provider(cls, name: str, config: dict) -> ProviderConfig:
+        """Parse a provider config, using the appropriate model based on provider name."""
+        if name == "dummy":
+            return DummyProviderConfig(**config)
+        return OAuthProviderConfig(**config)
+
+    def __init__(self, **data):
+        # Convert raw provider dicts to appropriate config objects
+        if "providers" in data and isinstance(data["providers"], dict):
+            parsed_providers = {}
+            for name, config in data["providers"].items():
+                if isinstance(config, dict):
+                    parsed_providers[name] = self._parse_provider(name, config)
+                else:
+                    parsed_providers[name] = config
+            data["providers"] = parsed_providers
+        super().__init__(**data)
 
     def get_redirect_uri(self, provider: str) -> str:
         """Get the OAuth callback URL for a provider."""
@@ -137,7 +191,7 @@ def is_config_valid() -> tuple[bool, str | None]:
     try:
         config = load_raw_app_config()
         if config is None:
-            return False, "app.yaml not found"
+            return False, f"{get_config_path().name} not found"
 
         # Check database URL
         db_config = config.get("db", {})

skrift/controllers/auth.py

@@ -1,6 +1,7 @@
 """Authentication controller for OAuth login flows.
 
 Supports multiple OAuth providers: Google, GitHub, Microsoft, Discord, Facebook, X (Twitter).
+Also supports a development-only "dummy" provider for testing.
 """
 
 import base64
@@ -11,16 +12,18 @@ from typing import Annotated
 from urllib.parse import urlencode
 
 import httpx
-from litestar import Controller, Request, get
+from litestar import Controller, Request, get, post
 from litestar.exceptions import HTTPException, NotFoundException
 from litestar.params import Parameter
 from litestar.response import Redirect, Template as TemplateResponse
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
 
 from skrift.config import get_settings
+from skrift.db.models.oauth_account import OAuthAccount
 from skrift.db.models.user import User
-from skrift.setup.providers import OAUTH_PROVIDERS, get_provider_info
+from skrift.setup.providers import DUMMY_PROVIDER_KEY, OAUTH_PROVIDERS, get_provider_info
 
 
 def get_auth_url(provider: str, settings, state: str, code_challenge: str | None = None) -> str:
@@ -227,8 +230,8 @@ class AuthController(Controller):
         self,
         request: Request,
         provider: str,
-    ) -> Redirect:
-        """Redirect to OAuth provider consent screen."""
+    ) -> Redirect | TemplateResponse:
+        """Redirect to OAuth provider consent screen, or show dummy login form."""
         settings = get_settings()
         provider_info = get_provider_info(provider)
 
@@ -238,6 +241,14 @@ class AuthController(Controller):
         if provider not in settings.auth.providers:
             raise NotFoundException(f"Provider {provider} not configured")
 
+        # Dummy provider shows local login form instead of redirecting to OAuth
+        if provider == DUMMY_PROVIDER_KEY:
+            flash = request.session.pop("flash", None)
+            return TemplateResponse(
+                "auth/dummy_login.html",
+                context={"flash": flash},
+            )
+
         # Generate CSRF state token
         state = secrets.token_urlsafe(32)
         request.session["oauth_state"] = state
@@ -306,30 +317,67 @@ class AuthController(Controller):
         if not oauth_id:
             raise HTTPException(status_code=400, detail="Could not determine user ID")
 
-        # Find or create user
+        email = user_data["email"]
+
+        # Step 1: Check if OAuth account already exists
         result = await db_session.execute(
-            select(User).where(User.oauth_id == oauth_id, User.oauth_provider == provider)
+            select(OAuthAccount)
+            .options(selectinload(OAuthAccount.user))
+            .where(OAuthAccount.provider == provider, OAuthAccount.provider_account_id == oauth_id)
         )
-        user = result.scalar_one_or_none()
+        oauth_account = result.scalar_one_or_none()
 
-        if user:
-            # Update existing user
+        if oauth_account:
+            # Existing OAuth account - update user profile
+            user = oauth_account.user
             user.name = user_data["name"]
             if user_data["picture_url"]:
                 user.picture_url = user_data["picture_url"]
             user.last_login_at = datetime.now(UTC)
+            # Update provider email if changed
+            if email:
+                oauth_account.provider_email = email
         else:
-            # Create new user (admin role is only assigned through setup flow)
-            user = User(
-                oauth_provider=provider,
-                oauth_id=oauth_id,
-                email=user_data["email"],
-                name=user_data["name"],
-                picture_url=user_data["picture_url"],
-                last_login_at=datetime.now(UTC),
-            )
-            db_session.add(user)
-            await db_session.flush()
+            # Step 2: Check if a user with this email already exists
+            user = None
+            if email:
+                result = await db_session.execute(
+                    select(User).where(User.email == email)
+                )
+                user = result.scalar_one_or_none()
+
+            if user:
+                # Link new OAuth account to existing user
+                oauth_account = OAuthAccount(
+                    provider=provider,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
+                # Update user profile
+                user.name = user_data["name"]
+                if user_data["picture_url"]:
+                    user.picture_url = user_data["picture_url"]
+                user.last_login_at = datetime.now(UTC)
+            else:
+                # Step 3: Create new user + OAuth account
+                user = User(
+                    email=email,
+                    name=user_data["name"],
+                    picture_url=user_data["picture_url"],
+                    last_login_at=datetime.now(UTC),
+                )
+                db_session.add(user)
+                await db_session.flush()
+
+                oauth_account = OAuthAccount(
+                    provider=provider,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
 
         await db_session.commit()
 
@@ -348,22 +396,120 @@ class AuthController(Controller):
         flash = request.session.pop("flash", None)
         settings = get_settings()
 
-        # Get configured providers
+        # Get configured providers (excluding dummy from main list)
         configured_providers = list(settings.auth.providers.keys())
         providers = {
             key: OAUTH_PROVIDERS[key]
             for key in configured_providers
-            if key in OAUTH_PROVIDERS
+            if key in OAUTH_PROVIDERS and key != DUMMY_PROVIDER_KEY
         }
 
+        # Check if dummy provider is configured
+        has_dummy = DUMMY_PROVIDER_KEY in settings.auth.providers
+
         return TemplateResponse(
             "auth/login.html",
             context={
                 "flash": flash,
                 "providers": providers,
+                "has_dummy": has_dummy,
             },
         )
 
+    @post("/dummy-login")
+    async def dummy_login_submit(
+        self,
+        request: Request,
+        db_session: AsyncSession,
+    ) -> Redirect:
+        """Process dummy login form submission."""
+        settings = get_settings()
+
+        if DUMMY_PROVIDER_KEY not in settings.auth.providers:
+            raise NotFoundException("Dummy provider not configured")
+
+        # Parse form data from request
+        form_data = await request.form()
+        email = form_data.get("email", "").strip()
+        name = form_data.get("name", "").strip()
+
+        if not email:
+            request.session["flash"] = "Email is required"
+            return Redirect(path="/auth/dummy/login")
+
+        # Default name to email username if not provided
+        if not name:
+            name = email.split("@")[0]
+
+        # Generate deterministic oauth_id from email
+        oauth_id = f"dummy_{hashlib.sha256(email.encode()).hexdigest()[:16]}"
+
+        # Step 1: Check if OAuth account already exists
+        result = await db_session.execute(
+            select(OAuthAccount)
+            .options(selectinload(OAuthAccount.user))
+            .where(
+                OAuthAccount.provider == DUMMY_PROVIDER_KEY,
+                OAuthAccount.provider_account_id == oauth_id,
+            )
+        )
+        oauth_account = result.scalar_one_or_none()
+
+        if oauth_account:
+            # Existing OAuth account - update user profile
+            user = oauth_account.user
+            user.name = name
+            user.email = email
+            user.last_login_at = datetime.now(UTC)
+            oauth_account.provider_email = email
+        else:
+            # Step 2: Check if a user with this email already exists
+            result = await db_session.execute(
+                select(User).where(User.email == email)
+            )
+            user = result.scalar_one_or_none()
+
+            if user:
+                # Link new OAuth account to existing user
+                oauth_account = OAuthAccount(
+                    provider=DUMMY_PROVIDER_KEY,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
+                # Update user profile
+                user.name = name
+                user.last_login_at = datetime.now(UTC)
+            else:
+                # Step 3: Create new user + OAuth account
+                user = User(
+                    email=email,
+                    name=name,
+                    last_login_at=datetime.now(UTC),
+                )
+                db_session.add(user)
+                await db_session.flush()
+
+                oauth_account = OAuthAccount(
+                    provider=DUMMY_PROVIDER_KEY,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
+
+        await db_session.commit()
+
+        # Set session with user info
+        request.session["user_id"] = str(user.id)
+        request.session["user_name"] = user.name
+        request.session["user_email"] = user.email
+        request.session["user_picture_url"] = user.picture_url
+        request.session["flash"] = "Successfully logged in!"
+
+        return Redirect(path="/")
+
     @get("/logout")
     async def logout(self, request: Request) -> Redirect:
         """Clear session and redirect to home."""

skrift/db/models/__init__.py

@@ -1,6 +1,7 @@
+from skrift.db.models.oauth_account import OAuthAccount
 from skrift.db.models.page import Page
 from skrift.db.models.role import Role, RolePermission, user_roles
 from skrift.db.models.setting import Setting
 from skrift.db.models.user import User
 
-__all__ = ["Page", "Role", "RolePermission", "Setting", "User", "user_roles"]
+__all__ = ["OAuthAccount", "Page", "Role", "RolePermission", "Setting", "User", "user_roles"]