skrift 0.1.0a1__py3-none-any.whl → 0.1.0a3__py3-none-any.whl

skrift/db/models/oauth_account.py

@@ -0,0 +1,37 @@
+"""OAuth account model for storing multiple OAuth identities per user."""
+
+from typing import TYPE_CHECKING
+from uuid import UUID
+
+from sqlalchemy import ForeignKey, String, UniqueConstraint
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from skrift.db.base import Base
+
+if TYPE_CHECKING:
+    from skrift.db.models.user import User
+
+
+class OAuthAccount(Base):
+    """OAuth account model linking OAuth provider identities to users.
+
+    This allows a single user to have multiple OAuth provider accounts
+    linked to their profile, enabling login via different providers.
+    """
+
+    __tablename__ = "oauth_accounts"
+
+    provider: Mapped[str] = mapped_column(String(50), nullable=False)
+    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)
+    provider_email: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    user_id: Mapped[UUID] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+    )
+
+    user: Mapped["User"] = relationship("User", back_populates="oauth_accounts")
+
+    __table_args__ = (
+        UniqueConstraint(
+            "provider", "provider_account_id", name="uq_oauth_provider_account"
+        ),
+    )

skrift/db/models/user.py

@@ -7,6 +7,7 @@ from sqlalchemy.orm import Mapped, mapped_column, relationship
 from skrift.db.base import Base
 
 if TYPE_CHECKING:
+    from skrift.db.models.oauth_account import OAuthAccount
     from skrift.db.models.page import Page
     from skrift.db.models.role import Role
 
@@ -16,12 +17,8 @@ class User(Base):
 
     __tablename__ = "users"
 
-    # OAuth identifiers
-    oauth_provider: Mapped[str] = mapped_column(String(50), nullable=False)
-    oauth_id: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
-
     # Profile data from OAuth provider
-    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    email: Mapped[str | None] = mapped_column(String(255), nullable=True, unique=True)
     name: Mapped[str | None] = mapped_column(String(255), nullable=True)
     picture_url: Mapped[str | None] = mapped_column(String(512), nullable=True)
 
@@ -30,6 +27,9 @@ class User(Base):
     last_login_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
 
     # Relationships
+    oauth_accounts: Mapped[list["OAuthAccount"]] = relationship(
+        "OAuthAccount", back_populates="user", cascade="all, delete-orphan"
+    )
     pages: Mapped[list["Page"]] = relationship("Page", back_populates="user")
     roles: Mapped[list["Role"]] = relationship(
         "Role", secondary="user_roles", back_populates="users", lazy="selectin"

skrift/setup/config_writer.py

@@ -7,6 +7,8 @@ from typing import Any
 
 from ruamel.yaml import YAML
 
+from skrift.config import get_config_path as _get_config_path
+
 # Default app.yaml structure
 DEFAULT_CONFIG = {
     "controllers": [
@@ -29,8 +31,8 @@ DEFAULT_CONFIG = {
 
 
 def get_config_path() -> Path:
-    """Get the path to app.yaml."""
-    return Path.cwd() / "app.yaml"
+    """Get the path to the current environment's config file."""
+    return _get_config_path()
 
 
 def backup_config() -> Path | None:

skrift/setup/controller.py

@@ -1,12 +1,13 @@
 """Setup wizard controller for first-time Skrift configuration."""
 
+import asyncio
 import base64
 import hashlib
+import json
 import secrets
-import subprocess
+from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 from datetime import UTC, datetime
-from pathlib import Path
 from urllib.parse import urlencode
 
 import httpx
@@ -16,9 +17,12 @@ from litestar import Controller, Request, get, post
 from litestar.exceptions import HTTPException
 from litestar.params import Parameter
 from litestar.response import Redirect, Template as TemplateResponse
-from sqlalchemy import func, select
+from litestar.response.sse import ServerSentEvent
+from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine, async_sessionmaker
+from sqlalchemy.orm import selectinload
 
+from skrift.db.models.oauth_account import OAuthAccount
 from skrift.db.models.role import Role, user_roles
 from skrift.db.models.user import User
 from skrift.db.services import setting_service
@@ -32,7 +36,15 @@ from skrift.setup.config_writer import (
     update_database_config,
 )
 from skrift.setup.providers import get_all_providers, get_provider_info
-from skrift.setup.state import can_connect_to_database, app_yaml_exists, get_database_url_from_yaml
+from skrift.setup.state import (
+    can_connect_to_database,
+    get_database_url_from_yaml,
+    get_first_incomplete_step,
+    is_auth_configured,
+    is_site_configured,
+    run_migrations_if_needed,
+    reset_migrations_flag,
+)
 
 
 @asynccontextmanager
@@ -75,27 +87,32 @@ class SetupController(Controller):
 
     @get("/")
     async def index(self, request: Request) -> Redirect:
-        """Redirect to appropriate setup step."""
-        # Check wizard progress from session
-        wizard_step = request.session.get("setup_wizard_step", "database")
-
-        # If we don't have app.yaml or db isn't configured, start at database
-        if not app_yaml_exists():
-            return Redirect(path="/setup/database")
+        """Redirect to the first incomplete setup step.
 
+        Uses smart detection to skip already-configured steps, allowing users
+        to resume setup without re-entering existing configuration.
+        """
+        # Check if database is configured and connectable
         can_connect, _ = await can_connect_to_database()
-        if not can_connect:
-            return Redirect(path="/setup/database")
+        if can_connect:
+            # Database is configured - go through configuring page to run migrations
+            return Redirect(path="/setup/configuring")
 
-        # Otherwise go to the saved step
-        return Redirect(path=f"/setup/{wizard_step}")
+        # Database not configured - go to database step
+        request.session["setup_wizard_step"] = "database"
+        return Redirect(path="/setup/database")
 
     @get("/database")
-    async def database_step(self, request: Request) -> TemplateResponse:
+    async def database_step(self, request: Request) -> TemplateResponse | Redirect:
         """Step 1: Database configuration."""
         flash = request.session.pop("flash", None)
         error = request.session.pop("setup_error", None)
 
+        # If database is already configured and no errors, go to configuring page
+        can_connect, _ = await can_connect_to_database()
+        if can_connect and not error:
+            return Redirect(path="/setup/configuring")
+
         # Load current config if exists
         config = load_config()
         db_config = config.get("db", {})
@@ -167,41 +184,9 @@ class SetupController(Controller):
                 request.session["setup_error"] = f"Connection failed: {error}"
                 return Redirect(path="/setup/database")
 
-            # Run migrations
-            try:
-                result = subprocess.run(
-                    ["skrift-db", "upgrade", "head"],
-                    capture_output=True,
-                    text=True,
-                    cwd=Path.cwd(),
-                    timeout=60,
-                )
-                if result.returncode != 0:
-                    request.session["setup_error"] = f"Migration failed: {result.stderr}"
-                    return Redirect(path="/setup/database")
-            except subprocess.TimeoutExpired:
-                request.session["setup_error"] = "Migration timed out"
-                return Redirect(path="/setup/database")
-            except FileNotFoundError:
-                # skrift-db might not be installed yet, try alembic directly
-                try:
-                    result = subprocess.run(
-                        ["alembic", "upgrade", "head"],
-                        capture_output=True,
-                        text=True,
-                        cwd=Path.cwd(),
-                        timeout=60,
-                    )
-                    if result.returncode != 0:
-                        request.session["setup_error"] = f"Migration failed: {result.stderr}"
-                        return Redirect(path="/setup/database")
-                except Exception as e:
-                    request.session["setup_error"] = f"Could not run migrations: {e}"
-                    return Redirect(path="/setup/database")
-
-            request.session["setup_wizard_step"] = "auth"
-            request.session["flash"] = "Database configured successfully!"
-            return Redirect(path="/setup/auth")
+            # Connection successful - redirect to configuring page to run migrations
+            request.session["setup_wizard_step"] = "configuring"
+            return Redirect(path="/setup/configuring")
 
         except Exception as e:
             request.session["setup_error"] = str(e)
@@ -213,12 +198,116 @@ class SetupController(Controller):
         request.session["setup_wizard_step"] = "auth"
         return Redirect(path="/setup/auth")
 
+    @get("/configuring")
+    async def configuring_step(self, request: Request) -> TemplateResponse | Redirect:
+        """Database configuration in progress page.
+
+        Shows a loading spinner while migrations run via SSE.
+        """
+        flash = request.session.pop("flash", None)
+        error = request.session.pop("setup_error", None)
+
+        # Verify we can connect to the database first
+        can_connect, connection_error = await can_connect_to_database()
+        if not can_connect:
+            request.session["setup_error"] = f"Cannot connect to database: {connection_error}"
+            return Redirect(path="/setup/database")
+
+        # Reset migrations flag so they run fresh via SSE
+        reset_migrations_flag()
+
+        return TemplateResponse(
+            "setup/configuring.html",
+            context={
+                "flash": flash,
+                "error": error,
+                "step": 1,
+                "total_steps": 4,
+            },
+        )
+
+    @get("/configuring/status")
+    async def configuring_status(self, request: Request) -> ServerSentEvent:
+        """SSE endpoint for database configuration status.
+
+        Streams migration progress and completion status.
+        """
+        async def generate_status() -> AsyncGenerator[str, None]:
+            # Send initial status
+            yield json.dumps({
+                "status": "running",
+                "message": "Testing database connection...",
+                "detail": "",
+            })
+
+            await asyncio.sleep(0.5)
+
+            # Test connection
+            can_connect, connection_error = await can_connect_to_database()
+            if not can_connect:
+                yield json.dumps({
+                    "status": "error",
+                    "message": f"Database connection failed: {connection_error}",
+                })
+                return
+
+            yield json.dumps({
+                "status": "running",
+                "message": "Running database migrations...",
+                "detail": "This may take a moment",
+            })
+
+            await asyncio.sleep(0.3)
+
+            # Run migrations
+            success, error = run_migrations_if_needed()
+
+            if not success:
+                yield json.dumps({
+                    "status": "error",
+                    "message": f"Migration failed: {error}",
+                })
+                return
+
+            yield json.dumps({
+                "status": "running",
+                "message": "Verifying database schema...",
+                "detail": "",
+            })
+
+            await asyncio.sleep(0.3)
+
+            # Determine next step
+            if is_auth_configured():
+                if await is_site_configured():
+                    next_step = "admin"
+                else:
+                    next_step = "site"
+            else:
+                next_step = "auth"
+
+            # All done - include next step
+            yield json.dumps({
+                "status": "complete",
+                "message": "Database configured successfully!",
+                "next_step": next_step,
+            })
+
+        return ServerSentEvent(generate_status())
+
     @get("/auth")
-    async def auth_step(self, request: Request) -> TemplateResponse:
+    async def auth_step(self, request: Request) -> TemplateResponse | Redirect:
         """Step 2: Authentication providers."""
         flash = request.session.pop("flash", None)
         error = request.session.pop("setup_error", None)
 
+        # If auth is already configured and no errors, skip to next step
+        if is_auth_configured() and not error:
+            next_step = await get_first_incomplete_step()
+            if next_step.value != "auth":
+                request.session["setup_wizard_step"] = next_step.value
+                return Redirect(path=f"/setup/{next_step.value}")
+
         # Get current redirect URL from request
         scheme = request.headers.get("x-forwarded-proto", request.url.scheme)
         host = request.headers.get("host", request.url.netloc)
@@ -291,20 +380,29 @@ class SetupController(Controller):
                 use_env_vars=use_env_vars,
             )
 
-            request.session["setup_wizard_step"] = "site"
+            # Determine next step using smart detection
+            next_step = await get_first_incomplete_step()
+            request.session["setup_wizard_step"] = next_step.value
             request.session["flash"] = "Authentication configured successfully!"
-            return Redirect(path="/setup/site")
+            return Redirect(path=f"/setup/{next_step.value}")
 
         except Exception as e:
             request.session["setup_error"] = str(e)
             return Redirect(path="/setup/auth")
 
     @get("/site")
-    async def site_step(self, request: Request) -> TemplateResponse:
+    async def site_step(self, request: Request) -> TemplateResponse | Redirect:
         """Step 3: Site settings."""
         flash = request.session.pop("flash", None)
         error = request.session.pop("setup_error", None)
 
+        # If site is already configured and no errors, skip to next step
+        if await is_site_configured() and not error:
+            next_step = await get_first_incomplete_step()
+            if next_step.value != "site":
+                request.session["setup_wizard_step"] = next_step.value
+                return Redirect(path=f"/setup/{next_step.value}")
+
         return TemplateResponse(
             "setup/site.html",
             context={
@@ -356,9 +454,11 @@ class SetupController(Controller):
                 # Reload cache
                 await setting_service.load_site_settings_cache(db_session)
 
-            request.session["setup_wizard_step"] = "admin"
+            # Determine next step using smart detection - should be admin at this point
+            next_step = await get_first_incomplete_step()
+            request.session["setup_wizard_step"] = next_step.value
             request.session["flash"] = "Site settings saved!"
-            return Redirect(path="/setup/admin")
+            return Redirect(path=f"/setup/{next_step.value}")
 
         except Exception as e:
             request.session["setup_error"] = str(e)
@@ -621,31 +721,68 @@ class SetupAuthController(Controller):
         if not oauth_id:
             raise HTTPException(status_code=400, detail="Could not determine user ID")
 
+        email = user_data["email"]
+
         # Create user and mark setup complete
         async with get_setup_db_session() as db_session:
-            # Check if user exists
+            # Step 1: Check if OAuth account already exists
             result = await db_session.execute(
-                select(User).where(User.oauth_id == oauth_id, User.oauth_provider == provider)
+                select(OAuthAccount)
+                .options(selectinload(OAuthAccount.user))
+                .where(OAuthAccount.provider == provider, OAuthAccount.provider_account_id == oauth_id)
             )
-            user = result.scalar_one_or_none()
+            oauth_account = result.scalar_one_or_none()
 
-            if user:
+            if oauth_account:
+                # Existing OAuth account - update user profile
+                user = oauth_account.user
                 user.name = user_data["name"]
                 if user_data["picture_url"]:
                     user.picture_url = user_data["picture_url"]
                 user.last_login_at = datetime.now(UTC)
+                if email:
+                    oauth_account.provider_email = email
             else:
-                # Create new user
-                user = User(
-                    oauth_provider=provider,
-                    oauth_id=oauth_id,
-                    email=user_data["email"],
-                    name=user_data["name"],
-                    picture_url=user_data["picture_url"],
-                    last_login_at=datetime.now(UTC),
-                )
-                db_session.add(user)
-                await db_session.flush()
+                # Step 2: Check if a user with this email already exists
+                user = None
+                if email:
+                    result = await db_session.execute(
+                        select(User).where(User.email == email)
+                    )
+                    user = result.scalar_one_or_none()
+
+                if user:
+                    # Link new OAuth account to existing user
+                    oauth_account = OAuthAccount(
+                        provider=provider,
+                        provider_account_id=oauth_id,
+                        provider_email=email,
+                        user_id=user.id,
+                    )
+                    db_session.add(oauth_account)
+                    # Update user profile
+                    user.name = user_data["name"]
+                    if user_data["picture_url"]:
+                        user.picture_url = user_data["picture_url"]
+                    user.last_login_at = datetime.now(UTC)
+                else:
+                    # Step 3: Create new user + OAuth account
+                    user = User(
+                        email=email,
+                        name=user_data["name"],
+                        picture_url=user_data["picture_url"],
+                        last_login_at=datetime.now(UTC),
+                    )
+                    db_session.add(user)
+                    await db_session.flush()
+
+                    oauth_account = OAuthAccount(
+                        provider=provider,
+                        provider_account_id=oauth_id,
+                        provider_email=email,
+                        user_id=user.id,
+                    )
+                    db_session.add(oauth_account)
 
             # Ensure roles are synced (they may not exist if DB was created after server start)
             from skrift.auth import sync_roles_to_database

skrift/setup/providers.py

@@ -2,6 +2,8 @@
 
 from dataclasses import dataclass
 
+DUMMY_PROVIDER_KEY = "dummy"
+
 
 @dataclass
 class OAuthProviderInfo:
@@ -150,6 +152,17 @@ OAUTH_PROVIDERS = {
         """.strip(),
         icon="twitter",
     ),
+    DUMMY_PROVIDER_KEY: OAuthProviderInfo(
+        name="Dummy (Development Only)",
+        auth_url="",
+        token_url="",
+        userinfo_url="",
+        scopes=[],
+        console_url="",
+        fields=[],
+        instructions="Development-only provider. DO NOT use in production.",
+        icon="dummy",
+    ),
 }
 
 
@@ -159,5 +172,43 @@ def get_provider_info(provider: str) -> OAuthProviderInfo | None:
 
 
 def get_all_providers() -> dict[str, OAuthProviderInfo]:
-    """Get all available OAuth providers."""
-    return OAUTH_PROVIDERS.copy()
+    """Get all available OAuth providers (excluding dev-only providers)."""
+    return {k: v for k, v in OAUTH_PROVIDERS.items() if k != DUMMY_PROVIDER_KEY}
+
+
+def validate_no_dummy_auth_in_production() -> None:
+    """Exit process if dummy auth is configured in production."""
+    import os
+    import signal
+    import sys
+
+    from skrift.config import get_environment, load_raw_app_config
+
+    if get_environment() != "production":
+        return
+
+    config = load_raw_app_config()
+    if config is None:
+        return
+
+    providers = config.get("auth", {}).get("providers", {})
+    if DUMMY_PROVIDER_KEY in providers:
+        # Only print if we haven't already (use env var as cross-process flag)
+        if not os.environ.get("_SKRIFT_DUMMY_ERROR_PRINTED"):
+            os.environ["_SKRIFT_DUMMY_ERROR_PRINTED"] = "1"
+            sys.stderr.write(
+                "\n"
+                "======================================================================\n"
+                "SECURITY ERROR: Dummy auth provider is configured in production.\n"
+                "Remove 'dummy' from auth.providers in app.yaml.\n"
+                "Server will NOT start.\n"
+                "======================================================================\n\n"
+            )
+            sys.stderr.flush()
+
+        # Kill parent process (uvicorn reloader) to stop respawning
+        try:
+            os.kill(os.getppid(), signal.SIGTERM)
+        except (ProcessLookupError, PermissionError):
+            pass
+        os._exit(1)