skrift 0.1.0a2__tar.gz → 0.1.0a4__tar.gz

{skrift-0.1.0a2 → skrift-0.1.0a4}/.gitignore

@@ -20,6 +20,8 @@ wheels/
 
 # App configuration (generated by setup wizard)
 app.yaml
+app.*.yaml
 app.bak.yaml
 app.yaml.backup.*
+app.*.yaml.backup.*
 site/

{skrift-0.1.0a2 → skrift-0.1.0a4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: skrift
-Version: 0.1.0a2
+Version: 0.1.0a4
 Summary: A lightweight async Python CMS for crafting modern websites
 Requires-Python: >=3.13
 Requires-Dist: advanced-alchemy>=0.26.0

{skrift-0.1.0a2 → skrift-0.1.0a4}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "skrift"
-version = "0.1.0a2"
+version = "0.1.0a4"
 description = "A lightweight async Python CMS for crafting modern websites"
 readme = "README.md"
 requires-python = ">=3.13"

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/alembic/env.py

@@ -12,6 +12,7 @@ from skrift.config import get_settings
 from skrift.db.base import Base
 
 # Import all models to ensure they're registered with Base.metadata
+from skrift.db.models.oauth_account import OAuthAccount  # noqa: F401
 from skrift.db.models.user import User  # noqa: F401
 from skrift.db.models.page import Page  # noqa: F401
 from skrift.db.models.role import Role, RolePermission  # noqa: F401
@@ -31,7 +32,7 @@ def get_url() -> str:
     """Get database URL from settings or alembic.ini."""
     try:
         settings = get_settings()
-        return settings.database_url
+        return settings.db.url
     except Exception:
         # Fall back to alembic.ini config if settings can't be loaded
         return config.get_main_option("sqlalchemy.url", "")

skrift-0.1.0a4/skrift/alembic/versions/20260129_add_oauth_accounts.py

@@ -0,0 +1,134 @@
+"""add oauth_accounts table
+
+Revision ID: 1a2b3c4d5e6f
+Revises: 8f3a5c2d1e0b
+Create Date: 2026-01-29 10:00:00.000000
+
+This migration:
+1. Creates the oauth_accounts table to store multiple OAuth identities per user
+2. Migrates existing oauth data from users table to oauth_accounts
+3. Makes users.email nullable (for providers like Twitter that don't provide email)
+4. Removes oauth_provider and oauth_id columns from users table
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from advanced_alchemy.types import GUID, DateTimeUTC
+
+
+# revision identifiers, used by Alembic.
+revision: str = '1a2b3c4d5e6f'
+down_revision: Union[str, None] = '8f3a5c2d1e0b'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Step 1: Create oauth_accounts table
+    op.create_table(
+        'oauth_accounts',
+        sa.Column('id', GUID(length=16), nullable=False),
+        sa.Column('created_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('updated_at', DateTimeUTC(timezone=True), nullable=False),
+        sa.Column('sa_orm_sentinel', sa.Integer(), nullable=True),
+        sa.Column('provider', sa.String(length=50), nullable=False),
+        sa.Column('provider_account_id', sa.String(length=255), nullable=False),
+        sa.Column('provider_email', sa.String(length=255), nullable=True),
+        sa.Column('user_id', GUID(length=16), nullable=False),
+        sa.PrimaryKeyConstraint('id', name=op.f('pk_oauth_accounts')),
+        sa.ForeignKeyConstraint(
+            ['user_id'], ['users.id'],
+            name=op.f('fk_oauth_accounts_user_id_users'),
+            ondelete='CASCADE'
+        ),
+        sa.UniqueConstraint(
+            'provider', 'provider_account_id',
+            name='uq_oauth_provider_account'
+        ),
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_user_id'),
+        'oauth_accounts',
+        ['user_id'],
+        unique=False
+    )
+    op.create_index(
+        op.f('ix_oauth_accounts_provider_account'),
+        'oauth_accounts',
+        ['provider', 'provider_account_id'],
+        unique=True
+    )
+
+    # Step 2: Migrate existing data from users to oauth_accounts
+    # Generate binary UUIDs (16 bytes) for new records and copy oauth data
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        INSERT INTO oauth_accounts (id, created_at, updated_at, provider, provider_account_id, provider_email, user_id)
+        SELECT
+            randomblob(16),
+            created_at,
+            updated_at,
+            oauth_provider,
+            oauth_id,
+            email,
+            id
+        FROM users
+        WHERE oauth_provider IS NOT NULL AND oauth_id IS NOT NULL
+    """))
+
+    # Step 3: Make email nullable on users table
+    # SQLite doesn't support ALTER COLUMN, so we need to recreate the table
+    # For SQLite, we'll use batch_alter_table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        # Drop the unique constraint on oauth_id
+        batch_op.drop_constraint('uq_users_oauth_id', type_='unique')
+        # Drop the oauth columns
+        batch_op.drop_column('oauth_provider')
+        batch_op.drop_column('oauth_id')
+        # Make email nullable - this requires recreating the column in SQLite
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=True)
+
+
+def downgrade() -> None:
+    # Step 1: Add back oauth columns to users table
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.add_column(sa.Column('oauth_provider', sa.String(length=50), nullable=True))
+        batch_op.add_column(sa.Column('oauth_id', sa.String(length=255), nullable=True))
+        batch_op.alter_column('email',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+
+    # Step 2: Migrate data back from oauth_accounts to users
+    # Only migrate the first oauth account per user
+    conn = op.get_bind()
+    conn.execute(sa.text("""
+        UPDATE users
+        SET oauth_provider = (
+            SELECT provider FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        ),
+        oauth_id = (
+            SELECT provider_account_id FROM oauth_accounts
+            WHERE oauth_accounts.user_id = users.id
+            LIMIT 1
+        )
+    """))
+
+    # Step 3: Make oauth columns non-nullable and add unique constraint
+    with op.batch_alter_table('users', schema=None) as batch_op:
+        batch_op.alter_column('oauth_provider',
+                              existing_type=sa.String(length=50),
+                              nullable=False)
+        batch_op.alter_column('oauth_id',
+                              existing_type=sa.String(length=255),
+                              nullable=False)
+        batch_op.create_unique_constraint('uq_users_oauth_id', ['oauth_id'])
+
+    # Step 4: Drop oauth_accounts table
+    op.drop_index(op.f('ix_oauth_accounts_provider_account'), table_name='oauth_accounts')
+    op.drop_index(op.f('ix_oauth_accounts_user_id'), table_name='oauth_accounts')
+    op.drop_table('oauth_accounts')

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/alembic.ini

@@ -1,8 +1,8 @@
 # Alembic Configuration File
 
 [alembic]
-# Path to migration scripts
-script_location = alembic
+# Path to migration scripts (relative to this file)
+script_location = %(here)s/alembic
 
 # Template used to generate migration files
 file_template = %%(year)d%%(month).2d%%(day).2d_%%(hour).2d%%(minute).2d%%(second).2d_%%(rev)s_%%(slug)s

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/cli.py

@@ -19,24 +19,33 @@ def db() -> None:
     """
     from alembic.config import main as alembic_main
 
-    # Ensure we're running from the project root where alembic.ini is located
-    # If alembic.ini is not in cwd, check common locations
-    alembic_ini = Path.cwd() / "alembic.ini"
-
+    import os
+
+    # Always run from the project root (where app.yaml and .env are)
+    # This ensures database paths like ./app.db resolve correctly
+    project_root = Path.cwd()
+    if not (project_root / "app.yaml").exists():
+        # If not in project root, try parent directory
+        project_root = Path(__file__).parent.parent
+    os.chdir(project_root)
+
+    # Find alembic.ini - check project root first, then skrift package directory
+    alembic_ini = project_root / "alembic.ini"
     if not alembic_ini.exists():
-        # Try to find alembic.ini relative to this module
-        module_dir = Path(__file__).parent.parent
-        alembic_ini = module_dir / "alembic.ini"
-
-        if alembic_ini.exists():
-            # Change to the directory containing alembic.ini
-            import os
-            os.chdir(module_dir)
-        else:
+        skrift_dir = Path(__file__).parent
+        alembic_ini = skrift_dir / "alembic.ini"
+
+        if not alembic_ini.exists():
             print("Error: Could not find alembic.ini", file=sys.stderr)
             print("Make sure you're running from the project root directory.", file=sys.stderr)
             sys.exit(1)
 
+    # Build argv with config path at the beginning (before any subcommand)
+    # Original argv: ['skrift-db', 'upgrade', 'head']
+    # New argv: ['skrift-db', '-c', '/path/to/alembic.ini', 'upgrade', 'head']
+    new_argv = [sys.argv[0], "-c", str(alembic_ini)] + sys.argv[1:]
+    sys.argv = new_argv
+
     # Pass through all CLI arguments to Alembic
     sys.exit(alembic_main(sys.argv[1:]))
 

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/config.py

@@ -9,8 +9,8 @@ from pydantic import BaseModel
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 # Load .env file early so env vars are available for YAML interpolation
-# Use explicit path to handle subprocess spawning (uvicorn workers)
-_env_file = Path(__file__).parent.parent / ".env"
+# Load from current working directory (where app.yaml lives)
+_env_file = Path.cwd() / ".env"
 load_dotenv(_env_file)
 
 # Pattern to match $VAR_NAME environment variable references

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/controllers/auth.py

@@ -18,8 +18,10 @@ from litestar.params import Parameter
 from litestar.response import Redirect, Template as TemplateResponse
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
 
 from skrift.config import get_settings
+from skrift.db.models.oauth_account import OAuthAccount
 from skrift.db.models.user import User
 from skrift.setup.providers import DUMMY_PROVIDER_KEY, OAUTH_PROVIDERS, get_provider_info
 
@@ -315,30 +317,67 @@ class AuthController(Controller):
         if not oauth_id:
             raise HTTPException(status_code=400, detail="Could not determine user ID")
 
-        # Find or create user
+        email = user_data["email"]
+
+        # Step 1: Check if OAuth account already exists
         result = await db_session.execute(
-            select(User).where(User.oauth_id == oauth_id, User.oauth_provider == provider)
+            select(OAuthAccount)
+            .options(selectinload(OAuthAccount.user))
+            .where(OAuthAccount.provider == provider, OAuthAccount.provider_account_id == oauth_id)
         )
-        user = result.scalar_one_or_none()
+        oauth_account = result.scalar_one_or_none()
 
-        if user:
-            # Update existing user
+        if oauth_account:
+            # Existing OAuth account - update user profile
+            user = oauth_account.user
             user.name = user_data["name"]
             if user_data["picture_url"]:
                 user.picture_url = user_data["picture_url"]
             user.last_login_at = datetime.now(UTC)
+            # Update provider email if changed
+            if email:
+                oauth_account.provider_email = email
         else:
-            # Create new user (admin role is only assigned through setup flow)
-            user = User(
-                oauth_provider=provider,
-                oauth_id=oauth_id,
-                email=user_data["email"],
-                name=user_data["name"],
-                picture_url=user_data["picture_url"],
-                last_login_at=datetime.now(UTC),
-            )
-            db_session.add(user)
-            await db_session.flush()
+            # Step 2: Check if a user with this email already exists
+            user = None
+            if email:
+                result = await db_session.execute(
+                    select(User).where(User.email == email)
+                )
+                user = result.scalar_one_or_none()
+
+            if user:
+                # Link new OAuth account to existing user
+                oauth_account = OAuthAccount(
+                    provider=provider,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
+                # Update user profile
+                user.name = user_data["name"]
+                if user_data["picture_url"]:
+                    user.picture_url = user_data["picture_url"]
+                user.last_login_at = datetime.now(UTC)
+            else:
+                # Step 3: Create new user + OAuth account
+                user = User(
+                    email=email,
+                    name=user_data["name"],
+                    picture_url=user_data["picture_url"],
+                    last_login_at=datetime.now(UTC),
+                )
+                db_session.add(user)
+                await db_session.flush()
+
+                oauth_account = OAuthAccount(
+                    provider=provider,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
 
         await db_session.commit()
 
@@ -405,31 +444,60 @@ class AuthController(Controller):
         # Generate deterministic oauth_id from email
         oauth_id = f"dummy_{hashlib.sha256(email.encode()).hexdigest()[:16]}"
 
-        # Find or create user
+        # Step 1: Check if OAuth account already exists
         result = await db_session.execute(
-            select(User).where(
-                User.oauth_id == oauth_id,
-                User.oauth_provider == DUMMY_PROVIDER_KEY,
+            select(OAuthAccount)
+            .options(selectinload(OAuthAccount.user))
+            .where(
+                OAuthAccount.provider == DUMMY_PROVIDER_KEY,
+                OAuthAccount.provider_account_id == oauth_id,
             )
         )
-        user = result.scalar_one_or_none()
+        oauth_account = result.scalar_one_or_none()
 
-        if user:
-            # Update existing user
+        if oauth_account:
+            # Existing OAuth account - update user profile
+            user = oauth_account.user
             user.name = name
             user.email = email
             user.last_login_at = datetime.now(UTC)
+            oauth_account.provider_email = email
         else:
-            # Create new user
-            user = User(
-                oauth_provider=DUMMY_PROVIDER_KEY,
-                oauth_id=oauth_id,
-                email=email,
-                name=name,
-                last_login_at=datetime.now(UTC),
+            # Step 2: Check if a user with this email already exists
+            result = await db_session.execute(
+                select(User).where(User.email == email)
             )
-            db_session.add(user)
-            await db_session.flush()
+            user = result.scalar_one_or_none()
+
+            if user:
+                # Link new OAuth account to existing user
+                oauth_account = OAuthAccount(
+                    provider=DUMMY_PROVIDER_KEY,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
+                # Update user profile
+                user.name = name
+                user.last_login_at = datetime.now(UTC)
+            else:
+                # Step 3: Create new user + OAuth account
+                user = User(
+                    email=email,
+                    name=name,
+                    last_login_at=datetime.now(UTC),
+                )
+                db_session.add(user)
+                await db_session.flush()
+
+                oauth_account = OAuthAccount(
+                    provider=DUMMY_PROVIDER_KEY,
+                    provider_account_id=oauth_id,
+                    provider_email=email,
+                    user_id=user.id,
+                )
+                db_session.add(oauth_account)
 
         await db_session.commit()
 

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/db/models/__init__.py

@@ -1,6 +1,7 @@
+from skrift.db.models.oauth_account import OAuthAccount
 from skrift.db.models.page import Page
 from skrift.db.models.role import Role, RolePermission, user_roles
 from skrift.db.models.setting import Setting
 from skrift.db.models.user import User
 
-__all__ = ["Page", "Role", "RolePermission", "Setting", "User", "user_roles"]
+__all__ = ["OAuthAccount", "Page", "Role", "RolePermission", "Setting", "User", "user_roles"]

skrift-0.1.0a4/skrift/db/models/oauth_account.py

@@ -0,0 +1,37 @@
+"""OAuth account model for storing multiple OAuth identities per user."""
+
+from typing import TYPE_CHECKING
+from uuid import UUID
+
+from sqlalchemy import ForeignKey, String, UniqueConstraint
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from skrift.db.base import Base
+
+if TYPE_CHECKING:
+    from skrift.db.models.user import User
+
+
+class OAuthAccount(Base):
+    """OAuth account model linking OAuth provider identities to users.
+
+    This allows a single user to have multiple OAuth provider accounts
+    linked to their profile, enabling login via different providers.
+    """
+
+    __tablename__ = "oauth_accounts"
+
+    provider: Mapped[str] = mapped_column(String(50), nullable=False)
+    provider_account_id: Mapped[str] = mapped_column(String(255), nullable=False)
+    provider_email: Mapped[str | None] = mapped_column(String(255), nullable=True)
+    user_id: Mapped[UUID] = mapped_column(
+        ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+    )
+
+    user: Mapped["User"] = relationship("User", back_populates="oauth_accounts")
+
+    __table_args__ = (
+        UniqueConstraint(
+            "provider", "provider_account_id", name="uq_oauth_provider_account"
+        ),
+    )

{skrift-0.1.0a2 → skrift-0.1.0a4}/skrift/db/models/user.py

@@ -7,6 +7,7 @@ from sqlalchemy.orm import Mapped, mapped_column, relationship
 from skrift.db.base import Base
 
 if TYPE_CHECKING:
+    from skrift.db.models.oauth_account import OAuthAccount
     from skrift.db.models.page import Page
     from skrift.db.models.role import Role
 
@@ -16,12 +17,8 @@ class User(Base):
 
     __tablename__ = "users"
 
-    # OAuth identifiers
-    oauth_provider: Mapped[str] = mapped_column(String(50), nullable=False)
-    oauth_id: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
-
     # Profile data from OAuth provider
-    email: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    email: Mapped[str | None] = mapped_column(String(255), nullable=True, unique=True)
     name: Mapped[str | None] = mapped_column(String(255), nullable=True)
     picture_url: Mapped[str | None] = mapped_column(String(512), nullable=True)
 
@@ -30,6 +27,9 @@ class User(Base):
     last_login_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
 
     # Relationships
+    oauth_accounts: Mapped[list["OAuthAccount"]] = relationship(
+        "OAuthAccount", back_populates="user", cascade="all, delete-orphan"
+    )
     pages: Mapped[list["Page"]] = relationship("Page", back_populates="user")
     roles: Mapped[list["Role"]] = relationship(
         "Role", secondary="user_roles", back_populates="users", lazy="selectin"