Initial commit - production deployment

2026-01-21 17:17:16 +01:00
commit c23d00dd92
2289 changed files with 638440 additions and 0 deletions
--- a/services/auth/migrations/env.py
+++ b/services/auth/migrations/env.py
@@ -0,0 +1,141 @@
+"""Alembic environment configuration for auth service"""
+
+import asyncio
+import os
+import sys
+from logging.config import fileConfig
+from sqlalchemy import pool
+from sqlalchemy.engine import Connection
+from sqlalchemy.ext.asyncio import async_engine_from_config
+from alembic import context
+
+# Add the service directory to the Python path
+service_path = os.path.abspath(os.path.join(os.path.dirname(__file__), ".."))
+if service_path not in sys.path:
+    sys.path.insert(0, service_path)
+
+# Add shared modules to path
+shared_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "..", "shared"))
+if shared_path not in sys.path:
+    sys.path.insert(0, shared_path)
+
+try:
+    from app.core.config import settings
+    from shared.database.base import Base
+
+    # Import all models to ensure they are registered with Base.metadata
+    from app.models import *  # noqa: F401, F403
+
+except ImportError as e:
+    print(f"Import error in migrations env.py: {e}")
+    print(f"Current Python path: {sys.path}")
+    raise
+
+# this is the Alembic Config object
+config = context.config
+
+# Determine service name from file path
+service_name = os.path.basename(os.path.dirname(os.path.dirname(__file__)))
+service_name_upper = service_name.upper().replace('-', '_')
+
+# Set database URL from environment variables with multiple fallback strategies
+database_url = (
+    os.getenv(f'{service_name_upper}_DATABASE_URL') or  # Service-specific
+    os.getenv('DATABASE_URL')  # Generic fallback
+)
+
+# If DATABASE_URL is not set, construct from individual components
+if not database_url:
+    # Try generic PostgreSQL environment variables first
+    postgres_host = os.getenv('POSTGRES_HOST')
+    postgres_port = os.getenv('POSTGRES_PORT', '5432')
+    postgres_db = os.getenv('POSTGRES_DB')
+    postgres_user = os.getenv('POSTGRES_USER')
+    postgres_password = os.getenv('POSTGRES_PASSWORD')
+
+    if all([postgres_host, postgres_db, postgres_user, postgres_password]):
+        database_url = f"postgresql+asyncpg://{postgres_user}:{postgres_password}@{postgres_host}:{postgres_port}/{postgres_db}"
+    else:
+        # Try service-specific environment variables
+        db_host = os.getenv(f'{service_name_upper}_DB_HOST', f'{service_name}-db-service')
+        db_port = os.getenv(f'{service_name_upper}_DB_PORT', '5432')
+        db_name = os.getenv(f'{service_name_upper}_DB_NAME', f'{service_name.replace("-", "_")}_db')
+        db_user = os.getenv(f'{service_name_upper}_DB_USER', f'{service_name.replace("-", "_")}_user')
+        db_password = os.getenv(f'{service_name_upper}_DB_PASSWORD')
+
+        if db_password:
+            database_url = f"postgresql+asyncpg://{db_user}:{db_password}@{db_host}:{db_port}/{db_name}"
+        else:
+            # Final fallback: try to get from settings object
+            try:
+                database_url = getattr(settings, 'DATABASE_URL', None)
+            except Exception:
+                pass
+
+if not database_url:
+    error_msg = f"ERROR: No database URL configured for {service_name} service"
+    print(error_msg)
+    raise Exception(error_msg)
+
+config.set_main_option("sqlalchemy.url", database_url)
+
+# Interpret the config file for Python logging
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# Set target metadata
+target_metadata = Base.metadata
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode."""
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+        compare_type=True,
+        compare_server_default=True,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def do_run_migrations(connection: Connection) -> None:
+    """Execute migrations with the given connection."""
+    context.configure(
+        connection=connection,
+        target_metadata=target_metadata,
+        compare_type=True,
+        compare_server_default=True,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+async def run_async_migrations() -> None:
+    """Run migrations in 'online' mode with async support."""
+    connectable = async_engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    async with connectable.connect() as connection:
+        await connection.run_sync(do_run_migrations)
+
+    await connectable.dispose()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode."""
+    asyncio.run(run_async_migrations())
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()
--- a/services/auth/migrations/script.py.mako
+++ b/services/auth/migrations/script.py.mako
@@ -0,0 +1,26 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}
--- a/services/auth/migrations/versions/initial_schema_unified.py
+++ b/services/auth/migrations/versions/initial_schema_unified.py
@@ -0,0 +1,262 @@
+"""Unified initial schema for auth service
+
+This migration combines all previous migrations into a single initial schema:
+- Initial tables (users, refresh_tokens, login_attempts, audit_logs, onboarding)
+- GDPR consent tables (user_consents, consent_history)
+- Payment columns added to users table
+- Password reset tokens table
+- Tenant ID made nullable in audit logs
+
+Revision ID: initial_unified
+Revises: 
+Create Date: 2026-01-16 14:00:00.000000
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision: str = 'initial_unified'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # Create all tables in the correct order (respecting foreign key dependencies)
+    
+    # Base tables without dependencies
+    op.create_table('users',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('email', sa.String(length=255), nullable=False),
+    sa.Column('hashed_password', sa.String(length=255), nullable=False),
+    sa.Column('full_name', sa.String(length=255), nullable=False),
+    sa.Column('is_active', sa.Boolean(), nullable=True),
+    sa.Column('is_verified', sa.Boolean(), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('last_login', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('phone', sa.String(length=20), nullable=True),
+    sa.Column('language', sa.String(length=10), nullable=True),
+    sa.Column('timezone', sa.String(length=50), nullable=True),
+    sa.Column('role', sa.String(length=20), nullable=False),
+    # Payment-related columns
+    sa.Column('payment_customer_id', sa.String(length=255), nullable=True),
+    sa.Column('default_payment_method_id', sa.String(length=255), nullable=True),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True)
+    op.create_index(op.f('ix_users_payment_customer_id'), 'users', ['payment_customer_id'], unique=False)
+    
+    op.create_table('login_attempts',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('email', sa.String(length=255), nullable=False),
+    sa.Column('ip_address', sa.String(length=45), nullable=False),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('success', sa.Boolean(), nullable=True),
+    sa.Column('failure_reason', sa.String(length=255), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=True),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_login_attempts_email'), 'login_attempts', ['email'], unique=False)
+    
+    # Tables that reference users
+    op.create_table('refresh_tokens',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('token', sa.Text(), nullable=False),
+    sa.Column('token_hash', sa.String(length=255), nullable=True),
+    sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
+    sa.Column('is_revoked', sa.Boolean(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('revoked_at', sa.DateTime(timezone=True), nullable=True),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('token_hash')
+    )
+    op.create_index('ix_refresh_tokens_expires_at', 'refresh_tokens', ['expires_at'], unique=False)
+    op.create_index('ix_refresh_tokens_token_hash', 'refresh_tokens', ['token_hash'], unique=False)
+    op.create_index(op.f('ix_refresh_tokens_user_id'), 'refresh_tokens', ['user_id'], unique=False)
+    op.create_index('ix_refresh_tokens_user_id_active', 'refresh_tokens', ['user_id', 'is_revoked'], unique=False)
+    
+    op.create_table('user_onboarding_progress',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('step_name', sa.String(length=50), nullable=False),
+    sa.Column('completed', sa.Boolean(), nullable=False),
+    sa.Column('completed_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('step_data', sa.JSON(), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('user_id', 'step_name', name='uq_user_step')
+    )
+    op.create_index(op.f('ix_user_onboarding_progress_user_id'), 'user_onboarding_progress', ['user_id'], unique=False)
+    
+    op.create_table('user_onboarding_summary',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('current_step', sa.String(length=50), nullable=False),
+    sa.Column('next_step', sa.String(length=50), nullable=True),
+    sa.Column('completion_percentage', sa.String(length=50), nullable=True),
+    sa.Column('fully_completed', sa.Boolean(), nullable=True),
+    sa.Column('steps_completed_count', sa.String(length=50), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('updated_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('last_activity_at', sa.DateTime(timezone=True), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_user_onboarding_summary_user_id'), 'user_onboarding_summary', ['user_id'], unique=True)
+    
+    op.create_table('password_reset_tokens',
+    sa.Column('id', postgresql.UUID(as_uuid=True), nullable=False),
+    sa.Column('user_id', postgresql.UUID(as_uuid=True), nullable=False),
+    sa.Column('token', sa.String(length=255), nullable=False),
+    sa.Column('expires_at', sa.DateTime(timezone=True), nullable=False),
+    sa.Column('is_used', sa.Boolean(), nullable=False, default=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=False,
+              server_default=sa.text("timezone('utc', CURRENT_TIMESTAMP)")),
+    sa.Column('used_at', sa.DateTime(timezone=True), nullable=True),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('token'),
+    )
+    op.create_index('ix_password_reset_tokens_user_id', 'password_reset_tokens', ['user_id'])
+    op.create_index('ix_password_reset_tokens_token', 'password_reset_tokens', ['token'])
+    op.create_index('ix_password_reset_tokens_expires_at', 'password_reset_tokens', ['expires_at'])
+    op.create_index('ix_password_reset_tokens_is_used', 'password_reset_tokens', ['is_used'])
+    
+    # GDPR consent tables
+    op.create_table('user_consents',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('terms_accepted', sa.Boolean(), nullable=False),
+    sa.Column('privacy_accepted', sa.Boolean(), nullable=False),
+    sa.Column('marketing_consent', sa.Boolean(), nullable=False),
+    sa.Column('analytics_consent', sa.Boolean(), nullable=False),
+    sa.Column('consent_version', sa.String(length=20), nullable=False),
+    sa.Column('consent_method', sa.String(length=50), nullable=False),
+    sa.Column('ip_address', sa.String(length=45), nullable=True),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('terms_text_hash', sa.String(length=64), nullable=True),
+    sa.Column('privacy_text_hash', sa.String(length=64), nullable=True),
+    sa.Column('consented_at', sa.DateTime(timezone=True), nullable=False),
+    sa.Column('withdrawn_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('extra_data', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_user_consent_consented_at', 'user_consents', ['consented_at'], unique=False)
+    op.create_index('idx_user_consent_user_id', 'user_consents', ['user_id'], unique=False)
+    op.create_index(op.f('ix_user_consents_user_id'), 'user_consents', ['user_id'], unique=False)
+    
+    op.create_table('consent_history',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('consent_id', sa.UUID(), nullable=True),
+    sa.Column('action', sa.String(length=50), nullable=False),
+    sa.Column('consent_snapshot', postgresql.JSON(astext_type=sa.Text()), nullable=False),
+    sa.Column('ip_address', sa.String(length=45), nullable=True),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('consent_method', sa.String(length=50), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
+    sa.ForeignKeyConstraint(['consent_id'], ['user_consents.id'], ondelete='SET NULL'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_consent_history_action', 'consent_history', ['action'], unique=False)
+    op.create_index('idx_consent_history_created_at', 'consent_history', ['created_at'], unique=False)
+    op.create_index('idx_consent_history_user_id', 'consent_history', ['user_id'], unique=False)
+    op.create_index(op.f('ix_consent_history_created_at'), 'consent_history', ['created_at'], unique=False)
+    op.create_index(op.f('ix_consent_history_user_id'), 'consent_history', ['user_id'], unique=False)
+    
+    # Audit logs table (with tenant_id nullable as per the last migration)
+    op.create_table('audit_logs',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('tenant_id', sa.UUID(), nullable=True),  # Made nullable per last migration
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('action', sa.String(length=100), nullable=False),
+    sa.Column('resource_type', sa.String(length=100), nullable=False),
+    sa.Column('resource_id', sa.String(length=255), nullable=True),
+    sa.Column('severity', sa.String(length=20), nullable=False),
+    sa.Column('service_name', sa.String(length=100), nullable=False),
+    sa.Column('description', sa.Text(), nullable=True),
+    sa.Column('changes', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('audit_metadata', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('ip_address', sa.String(length=45), nullable=True),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('endpoint', sa.String(length=255), nullable=True),
+    sa.Column('method', sa.String(length=10), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_audit_resource_type_action', 'audit_logs', ['resource_type', 'action'], unique=False)
+    op.create_index('idx_audit_service_created', 'audit_logs', ['service_name', 'created_at'], unique=False)
+    op.create_index('idx_audit_severity_created', 'audit_logs', ['severity', 'created_at'], unique=False)
+    op.create_index('idx_audit_tenant_created', 'audit_logs', ['tenant_id', 'created_at'], unique=False)
+    op.create_index('idx_audit_user_created', 'audit_logs', ['user_id', 'created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_action'), 'audit_logs', ['action'], unique=False)
+    op.create_index(op.f('ix_audit_logs_created_at'), 'audit_logs', ['created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_id'), 'audit_logs', ['resource_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_type'), 'audit_logs', ['resource_type'], unique=False)
+    op.create_index(op.f('ix_audit_logs_service_name'), 'audit_logs', ['service_name'], unique=False)
+    op.create_index(op.f('ix_audit_logs_severity'), 'audit_logs', ['severity'], unique=False)
+    op.create_index(op.f('ix_audit_logs_tenant_id'), 'audit_logs', ['tenant_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_user_id'), 'audit_logs', ['user_id'], unique=False)
+
+
+def downgrade() -> None:
+    # Drop tables in reverse order (respecting foreign key dependencies)
+    op.drop_index(op.f('ix_audit_logs_user_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_tenant_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_severity'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_service_name'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_type'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_created_at'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_action'), table_name='audit_logs')
+    op.drop_index('idx_audit_user_created', table_name='audit_logs')
+    op.drop_index('idx_audit_tenant_created', table_name='audit_logs')
+    op.drop_index('idx_audit_severity_created', table_name='audit_logs')
+    op.drop_index('idx_audit_service_created', table_name='audit_logs')
+    op.drop_index('idx_audit_resource_type_action', table_name='audit_logs')
+    op.drop_table('audit_logs')
+    
+    op.drop_index(op.f('ix_consent_history_user_id'), table_name='consent_history')
+    op.drop_index(op.f('ix_consent_history_created_at'), table_name='consent_history')
+    op.drop_index('idx_consent_history_user_id', table_name='consent_history')
+    op.drop_index('idx_consent_history_created_at', table_name='consent_history')
+    op.drop_index('idx_consent_history_action', table_name='consent_history')
+    op.drop_table('consent_history')
+    
+    op.drop_index(op.f('ix_user_consents_user_id'), table_name='user_consents')
+    op.drop_index('idx_user_consent_user_id', table_name='user_consents')
+    op.drop_index('idx_user_consent_consented_at', table_name='user_consents')
+    op.drop_table('user_consents')
+    
+    op.drop_index('ix_password_reset_tokens_is_used', table_name='password_reset_tokens')
+    op.drop_index('ix_password_reset_tokens_expires_at', table_name='password_reset_tokens')
+    op.drop_index('ix_password_reset_tokens_token', table_name='password_reset_tokens')
+    op.drop_index('ix_password_reset_tokens_user_id', table_name='password_reset_tokens')
+    op.drop_table('password_reset_tokens')
+    
+    op.drop_index(op.f('ix_user_onboarding_summary_user_id'), table_name='user_onboarding_summary')
+    op.drop_table('user_onboarding_summary')
+    
+    op.drop_index(op.f('ix_user_onboarding_progress_user_id'), table_name='user_onboarding_progress')
+    op.drop_table('user_onboarding_progress')
+    
+    op.drop_index('ix_refresh_tokens_user_id_active', table_name='refresh_tokens')
+    op.drop_index(op.f('ix_refresh_tokens_user_id'), table_name='refresh_tokens')
+    op.drop_index('ix_refresh_tokens_token_hash', table_name='refresh_tokens')
+    op.drop_index('ix_refresh_tokens_expires_at', table_name='refresh_tokens')
+    op.drop_table('refresh_tokens')
+    
+    op.drop_index(op.f('ix_login_attempts_email'), table_name='login_attempts')
+    op.drop_table('login_attempts')
+    
+    op.drop_index(op.f('ix_users_payment_customer_id'), table_name='users')
+    op.drop_index(op.f('ix_users_email'), table_name='users')
+    op.drop_table('users')